[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

David Lord snews at lordynet.org
Sun Aug 1 10:53:03 UTC 2010


Niki Kovacs wrote:
> Hi,
> 
> I'm running several small LANs, mostly in public libraries, town halls 
> and the likes in a series of villages and small towns in South France. 
> The LANs are all 100% GNU/Linux, using CentOS 5 on both servers and 
> desktops.
> 
> Only recently have I given more thought about keeping time. Until now, 
> each machine ran ntpd individually by connecting to one of the 
> *.pool.ntp.org server. But I understand this is not the best solution 
> (and bad practice also), so I want to implement things a bit more cleanly.
> 
> I've experimented a bit in my office's "sandbox network", and I can use 
> NTP on the LAN without problems. The PC acting as NTP server for the LAN 
> synchronizes OK with a series of machines from fr.pool.ntp.org, and the 
> client machines synchronize OK with this local server.
> 
> Now I'd like to give security a thought, especially NTP's own 'restrict' 
> statement. I did quite some RTFM, and I admit I'm a bit confused by 
> that. What I'd like to do : reasonable secure each machine in the LAN, 
> server and desktop, with a series of 'restrict' statements, but without 
> going into security overkill.

# servers previous to July 2010 had: restrict default noquery
# but now to reduce number of sites sending too frequent polls
restrict default kod nomodify notrap nopeer

# for local public lan segments
restrict a.b.c.d mask 255.255.255.0
restrict e.f.g.h mask 255.255.255.0

# for private lan segments
restrict s.t.u.v mask 255.255.255.0
restrict w.x.y.z mask 255.255.255.0

# for localhost
restrict 127.0.0.1
restrict -6 ::1 # only if ipv6 enabled

Servers have ntp traffic restricted by firewall rules and
in addition clients are behind NAT.

Client pcs (including laptops when used remote) are pointed to
my own servers. I think some have same restrict lines as
servers and others may have minimum:
restrict default noquery
restrict 127.0.0.1
restrict -6 ::1 # only if ipv6 enabled


David

> 
> If I understand correctly, things can be done in a manner similar to 
> iptables.
> 
> 1) First block off everything with 'restrict default ignore'.
> 
> 2) Then allow localhost to use NTP in an unlimited way with 'restrict 
> 127.0.0.1'.
> 
> 3) Then allow only what has to be allowed specifically.
> 
> Correct me if I'm wrong.
> 
> In my case, for example, I have a server (grossebertha) with the 
> following ntp.conf:
> 
> --8<--------------------------
> driftfile /var/lib/ntp/drift
> logfile /var/log/ntp.log
> 
> server 0.fr.pool.ntp.org
> server 1.fr.pool.ntp.org
> server 2.fr.pool.ntp.org
> server 3.fr.pool.ntp.org
> --8<--------------------------
> 
> And then, on each client, I have this:
> 
> --8<--------------------------
> driftfile /var/lib/ntp/drift
> logfile /var/log/ntp.log
> 
> server grossebertha
> --8<--------------------------
> 
> What would reasonable 'restrict' statements look like on the server side 
> as well as on the client side?
> 
> Cheers from the sunny South of France,
> 
> Niki Kovacs




More information about the questions mailing list