[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Sun, 01 Aug 2010 03:00:59 -0700 

Hi,
I'm running several small LANs, mostly in public libraries, town halls and the likes in a series of villages and small towns in South France. The LANs are all 100% GNU/Linux, using CentOS 5 on both servers and desktops. 


Only recently have I given more thought about keeping time. Until now, 
each machine ran ntpd individually by connecting to one of the 
*.pool.ntp.org server. But I understand this is not the best solution 
(and bad practice also), so I want to implement things a bit more cleanly.



I've experimented a bit in my office's "sandbox network", and I can use 
NTP on the LAN without problems. The PC acting as NTP server for the LAN 
synchronizes OK with a series of machines from fr.pool.ntp.org, and the 
client machines synchronize OK with this local server.



Now I'd like to give security a thought, especially NTP's own 'restrict' 
statement. I did quite some RTFM, and I admit I'm a bit confused by 
that. What I'd like to do : reasonable secure each machine in the LAN, 
server and desktop, with a series of 'restrict' statements, but without 
going into security overkill.



If I understand correctly, things can be done in a manner similar to 
iptables.


1) First block off everything with 'restrict default ignore'.


2) Then allow localhost to use NTP in an unlimited way with 'restrict 
127.0.0.1'.


3) Then allow only what has to be allowed specifically.

Correct me if I'm wrong.


In my case, for example, I have a server (grossebertha) with the 
following ntp.conf:


--8<--------------------------
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org
--8<--------------------------

And then, on each client, I have this:

--8<--------------------------
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server grossebertha
--8<--------------------------


What would reasonable 'restrict' statements look like on the server side 
as well as on the client side?


Cheers from the sunny South of France,

Niki Kovacs

_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions






















					Reply via email to