Niki Kovacs wrote:
Hi,
I'm running several small LANs, mostly in public libraries, town halls
and the likes in a series of villages and small towns in South France.
The LANs are all 100% GNU/Linux, using CentOS 5 on both servers and
desktops.
Only recently have I given more thought about keeping time. Until now,
each machine ran ntpd individually by connecting to one of the
*.pool.ntp.org server. But I understand this is not the best solution
(and bad practice also), so I want to implement things a bit more cleanly.
I've experimented a bit in my office's "sandbox network", and I can use
NTP on the LAN without problems. The PC acting as NTP server for the LAN
synchronizes OK with a series of machines from fr.pool.ntp.org, and the
client machines synchronize OK with this local server.
Now I'd like to give security a thought, especially NTP's own 'restrict'
statement. I did quite some RTFM, and I admit I'm a bit confused by
that. What I'd like to do : reasonable secure each machine in the LAN,
server and desktop, with a series of 'restrict' statements, but without
going into security overkill.
# servers previous to July 2010 had: restrict default noquery
# but now to reduce number of sites sending too frequent polls
restrict default kod nomodify notrap nopeer
# for local public lan segments
restrict a.b.c.d mask 255.255.255.0
restrict e.f.g.h mask 255.255.255.0
# for private lan segments
restrict s.t.u.v mask 255.255.255.0
restrict w.x.y.z mask 255.255.255.0
# for localhost
restrict 127.0.0.1
restrict -6 ::1 # only if ipv6 enabled
Servers have ntp traffic restricted by firewall rules and
in addition clients are behind NAT.
Client pcs (including laptops when used remote) are pointed to
my own servers. I think some have same restrict lines as
servers and others may have minimum:
restrict default noquery
restrict 127.0.0.1
restrict -6 ::1 # only if ipv6 enabled
David
If I understand correctly, things can be done in a manner similar to
iptables.
1) First block off everything with 'restrict default ignore'.
2) Then allow localhost to use NTP in an unlimited way with 'restrict
127.0.0.1'.
3) Then allow only what has to be allowed specifically.
Correct me if I'm wrong.
In my case, for example, I have a server (grossebertha) with the
following ntp.conf:
--8<--------------------------
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org
--8<--------------------------
And then, on each client, I have this:
--8<--------------------------
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
server grossebertha
--8<--------------------------
What would reasonable 'restrict' statements look like on the server side
as well as on the client side?
Cheers from the sunny South of France,
Niki Kovacs
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
