[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Niki Kovacs mickey at mouse.com
Sun Aug 1 09:43:40 UTC 2010


Hi,

I'm running several small LANs, mostly in public libraries, town halls 
and the likes in a series of villages and small towns in South France. 
The LANs are all 100% GNU/Linux, using CentOS 5 on both servers and 
desktops.

Only recently have I given more thought about keeping time. Until now, 
each machine ran ntpd individually by connecting to one of the 
*.pool.ntp.org server. But I understand this is not the best solution 
(and bad practice also), so I want to implement things a bit more cleanly.

I've experimented a bit in my office's "sandbox network", and I can use 
NTP on the LAN without problems. The PC acting as NTP server for the LAN 
synchronizes OK with a series of machines from fr.pool.ntp.org, and the 
client machines synchronize OK with this local server.

Now I'd like to give security a thought, especially NTP's own 'restrict' 
statement. I did quite some RTFM, and I admit I'm a bit confused by 
that. What I'd like to do : reasonable secure each machine in the LAN, 
server and desktop, with a series of 'restrict' statements, but without 
going into security overkill.

If I understand correctly, things can be done in a manner similar to 
iptables.

1) First block off everything with 'restrict default ignore'.

2) Then allow localhost to use NTP in an unlimited way with 'restrict 
127.0.0.1'.

3) Then allow only what has to be allowed specifically.

Correct me if I'm wrong.

In my case, for example, I have a server (grossebertha) with the 
following ntp.conf:

--8<--------------------------
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org
--8<--------------------------

And then, on each client, I have this:

--8<--------------------------
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server grossebertha
--8<--------------------------

What would reasonable 'restrict' statements look like on the server side 
as well as on the client side?

Cheers from the sunny South of France,

Niki Kovacs




More information about the questions mailing list