[CentOS] chronyd configuration as a local ntp server

Tue Dec 27 19:13:32 UTC 2016
David Both <dboth at millennium-technology.com>

Here are the commands for that. Apparently restrict is replaced with deny.

deny [<subnet>]             Deny access to subnet as a default
deny all [<subnet>]         Deny access to subnet and all children

On 12/27/2016 09:07 AM, Robert Moskowitz wrote:
> 'Modern' NTP allows for all sorts of updates to NTP servers, with all
> sorts of attacks.  So to prevent even local hosts from making changes
> to your NTP server, there is the restrict instead of allow command.
> Its intent is to limit what the server will accept from a host in the
> address range instead of allowing any command from within that range.
> I use this on my Centos6 servers.
> I guess I will have to register to the chronyd list and ask there.
> thanks
> On 12/27/2016 08:49 AM, David Both wrote:
>> AFAIK the only thing needed to make your host an NTP server using
>> chrony is to set the allow line to the network address in CIDR format
>> of the network you want to be served, and uncomment it. The restart
>> chronyd. You also need to ensure that port 123 (NTP) is open to your
>> internal network on your filrewall.
>> I have a CentOS 6 box that is an NTP server for my network. CentOS 7
>> works the same way.
>> On 12/27/2016 08:25 AM, Fred Smith wrote:
>>> On Mon, Dec 26, 2016 at 11:04:22PM -0500, Robert Moskowitz wrote:
>>>> This is for centos 7 that has chronyd 2.1.1
>>>> I am looking into how to use chronyd as my local ntp server.
>>>> On my old servers with ntpd I had local access control lines like:
>>>> restrict mask nomodify notrap
>>>> But in looking for documentation on chronyd I did not find anything
>>>> on this at:
>>>> https://chrony.tuxfamily.org/doc/2.1/manual.html
>>>> In the actual /etc/chronyd.conf there is the sample line:
>>>> # Allow NTP client access from local network.
>>>> #allow 192.168/16
>>>> Does this allow only allow queries?  Does chronyd support the
>>>> 'restrict' option?
>>> Robert:
>>> Years back I used to use Chrony for that  purpose (when I was running
>>> Smoothwall on an old PC instead of a commercial router, as I am now)
>>> and it did the job remarkably well.
>>> One of the designgoals of Chrony was to support networks or computers
>>> that are NOT connected full-time, so that time stayed somewhere near
>>> correct even if offline for hours or days.
>>> But that having been so long ago, now, I don't remember the details.
>>> I also don't remember what the "restrict" directive for ntpd does.
>>> (to give you an idea of how long ago that was it was when I had a
>>> Red Hat
>>> 7.2 or 7.3 workstation as my home PC--pre-RHEL. I could compile
>>> things on
>>> that RH box, tar up the necessary results and take that file to the
>>> smoothwall box and untar them and with small configuration: voila!)
>>> there used to be a chrony mailing list where one could ask such
>>> questions,
>>> but I haven't seen traffic on it in years, so it may no longer exist.
>>> Fred
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


David P. Both
"I'd put my money on the sun and solar energy. What a
source of power! I hope we don't have to wait until oil
and coal run out before we tackle that."
  - Thomas Edison, in conversation with Henry Ford and
    Harvey Firestone, 1931


David P. Both, RHCE
Millennium Technology Consulting LLC
Raleigh, NC, USA

dboth at millennium-technology.com

www.databook.bz - Home of the DataBook for Linux
DataBook is a Registered Trademark of David Both
This communication may be unlawfully collected and stored by the National
Security Agency (NSA) in secret. The parties to this email do not 
consent to the
retrieving or storing of this communication and any related metadata, as 
well as
printing, copying, re-transmitting, disseminating, or otherwise using 
it. If you
believe you have received this communication in error, please delete it