[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Niki Kovacs mickey at mouse.com
Sun Aug 1 09:43:40 UTC 2010


I'm running several small LANs, mostly in public libraries, town halls 
and the likes in a series of villages and small towns in South France. 
The LANs are all 100% GNU/Linux, using CentOS 5 on both servers and 

Only recently have I given more thought about keeping time. Until now, 
each machine ran ntpd individually by connecting to one of the 
*.pool.ntp.org server. But I understand this is not the best solution 
(and bad practice also), so I want to implement things a bit more cleanly.

I've experimented a bit in my office's "sandbox network", and I can use 
NTP on the LAN without problems. The PC acting as NTP server for the LAN 
synchronizes OK with a series of machines from fr.pool.ntp.org, and the 
client machines synchronize OK with this local server.

Now I'd like to give security a thought, especially NTP's own 'restrict' 
statement. I did quite some RTFM, and I admit I'm a bit confused by 
that. What I'd like to do : reasonable secure each machine in the LAN, 
server and desktop, with a series of 'restrict' statements, but without 
going into security overkill.

If I understand correctly, things can be done in a manner similar to 

1) First block off everything with 'restrict default ignore'.

2) Then allow localhost to use NTP in an unlimited way with 'restrict'.

3) Then allow only what has to be allowed specifically.

Correct me if I'm wrong.

In my case, for example, I have a server (grossebertha) with the 
following ntp.conf:

driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org

And then, on each client, I have this:

driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server grossebertha

What would reasonable 'restrict' statements look like on the server side 
as well as on the client side?

Cheers from the sunny South of France,

Niki Kovacs

More information about the questions mailing list