[root@compute1 ~]# ntpdate -u 192.168.13.165
, v8 c, d/ `& q# ]ntpdate[5310]: no server suitable for synchronization found: F0 [! ^# z8 t! z4 `* i
+ ] W5 u e* k) q v8 ^' o
# Y" \8 t5 V4 n3 f9 ?
关闭防火墙,即可解决。8 k& P: R" E4 u, b/ [0 H2 t
! I! l) J& D+ E) U0 ^. l. Z
但是生产环境,我们尽量不要这么做,这样做对于安全方面做的就很少后期比较麻烦。攻击可能会多点,安全就.........
* C& |& P# L) p5 Z
7 [- l- N' F0 X% }5 E- }% Q好了,不说了,接下来我们来排查问题:
: X6 @ \" o( N9 N
/ t9 L. ?7 N; |) ~检查端口:
( |* ]$ v( B; d. x4 R; d. O/ I! t8 [# K
) Q1 a! f3 E$ w, ?+ s$ m! U
netstat-nualp
/ z4 Y6 H* k+ _( s" ^2 ^, `& g" W6 z/ k$ k
Active Internet connections (servers andestablished)
X' Z e) y/ _8 F; h/ ^5 W6 x8 M- R& M) T& f7 S
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
7 y7 T* X) L" K5 n0 E+ P( Y& \1 ^( M, W$ [
udp 0 0 192.168.13.165:59886 114.114.114.114:53 ESTABLISHED 5254/chronyd 0 R y u" |1 _6 F8 ~( j" F: d
$ F3 @+ }: T7 Pudp 0 0 0.0.0.0:68 0.0.0.0:* 5194/dhclient 4 c3 W1 @6 j* T+ D
! c3 e% F( y& k3 R7 t6 Y! Z9 m" |7 cudp 0 0 0.0.0.0:123 0.0.0.0:* 5254/chronyd
4 O+ |+ b6 z5 L5 X* {9 c) a
. z% k: a( j- w9 M e" Q" qudp 0 0 127.0.0.1:323 0.0.0.0:* 5254/chronyd ; J2 ^. `; Z4 `# d- z/ g; ?& u% M( S
& y+ A8 l$ k# N7 i0 k% j
udp6 0 0 ::1:323 :::* 5254/chronyd * ~. ]+ X! ^, F0 f* e* }. T
3 s" e2 c& Z+ q7 l8 g) F4 N
, x' D6 w: W. \0 V# K6 W8 ]+ ?! E; k: m
: H% I7 z* r) s; \6 V
3 a) R5 h6 B- q' M p) S6 F
' i/ C0 a% V3 z' H/ Y
! j' g- f* Y( I v添加防火墙:0 e q# X1 F6 Z3 D& ?1 {$ `% h
firewalld-cmd --add-port=323/tcp --add-port=323/udp --permanent . k4 ^+ P% Q5 F
" t0 g9 ^! q$ \( p! P0 G1 ~: j1 `7 S2 i6 q7 n+ n
firewalld-cmd --reload
+ q1 T' v4 {7 K% u( h, C
8 Y5 g% J% h8 R/ h0 P. G; f5 U$ |' {# R* e
$ V4 k' Z h. v' y( ^) e& l
! U) A$ N0 Y* i# I! l" C再次尝试:1 i$ r5 F0 U7 w) a6 G4 L+ N
[root@compute1 ~]# ntpdate -u 192.168.13.165
3 T! h8 M) f* S- _6 C+ i. ^# zntpdate[5310]: no server suitable for synchronization found% y5 z1 q2 r6 T# a
& n1 M, q1 \# q1 E1 p
: Q6 F& p+ k4 X* W ?
% C$ u. {2 X5 I, ]) ^, l0 f
% [; p6 u2 x- w/ J3 Z5 L还是出现这个问题,为什么呢?
" N2 Y! y9 m( }7 _" {0 X. k3 [2 H; O在看看端口上面的特点,为什么323会起在127.0.0.1上?奇怪....
$ I- H9 f9 t6 e3 r0 R后来想到firewalld-cmd --list-all
9 t2 r }& H# r' U' n- C3 p/ c+ \. }) W& ]0 w
8 L& V2 b* P# t! {1 ~- M
7 v/ f6 `# f5 J# a& hpublic (active)
! `" s! v3 w. y+ ` target: default6 t8 r0 k' G0 X! M1 X0 |4 i: {
icmp-block-inversion: no( }/ H/ z( M# o8 p. U+ m
interfaces: ens33 ens34 ens35. e' g2 W& Y& J- i
sources: 6 _& F1 P) U- Z
services: dhcpv6-client ssh1 j/ j: z5 u( m* f; }
ports: 323/tcp 323/udp 123/udp
: B, S; N( z2 X' t. M+ s6 C protocols:
* e5 j( g5 ^2 M6 y" Q2 y$ t6 Q& S masquerade: no& n# L0 q( N1 X3 {: d
forward-ports: / S5 P) q1 H: c: Y
source-ports:
) m+ u0 H; o' F icmp-blocks: ) h( w" h! t$ k8 n0 U
rich rules: 6 V9 Y2 Z9 M& d
/ @, k; a6 j7 p
$ z9 b. W4 T3 s( ]
3 Z, b% x+ C0 p2 E
发现还有services这个项。
3 w3 {" Q" o5 |4 L+ g$ R* w
( { M* G, r3 b# o. q! y怀疑是不是秘密就藏在这里呢?- T" A: p- ]* C; t( a- I# u
' j/ q$ t. _& S
2 N! t- \$ r; |; F6 Q7 ?试试吧,添加一个ntp服务的防火墙规则:5 v9 `7 Y9 v) y; T; \8 f
" y/ h2 ?- ~, C/ R9 M y
: w0 P5 A- X$ J7 i' j: T, S" B7 ^' B$ }9 c+ e4 R. T4 G
firewall-cmd --add-service=ntp --permanent
5 X8 ]/ ^* C+ j9 ^firewall-cmd --reload
4 y7 t( H" e6 v/ D. T2 A% z- X6 A再试试呗:0 k2 u2 B& {9 z1 }$ }. d
2 E2 |0 K% N. Q0 Z8 B
[root@compute1 ~]# ntpdate -u 192.168.13.165+ k+ \7 V. k( ?; v' ^
17 Dec 11:22:20 ntpdate[5997]: adjust time server 192.168.13.165 offset 0.000035 sec
2 x2 Q8 A& x6 E d. E Y3 w
( u% ]. }, c1 \5 J" [4 B y) X' ?( S+ O7 y$ {
4 w+ Y% y- }6 C6 P$ e
9 j- x" q3 a% w& f8 }问题解决。7 R1 t" g# h. b) i6 W9 y9 c% ?
+ B8 F4 g# c; ]6 c" V
/ g+ G: W0 \1 J& r/ P2 |* b$ |完整的流程。。。。。. n/ ~) n6 }1 W4 O
|
发表于 2021-12-17 11:26:07