#!/bin/bash

# update ntp.conf for extra security according to advice at
# http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
# actually we don't neede because NTP is protected by our default firewall
# 24/02/2014 Andrew Checkov <andrew@thirdlane.co

mv -f /etc/ntp.conf /etc/ntp.conf.bak

cat >/etc/ntp.conf  <<-EOF
# by default act only as a basic NTP client
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap

# allow NTP messages from the loopback address, useful for debugging
restrict 127.0.0.1
restrict ::1

# Sample to provide access to NTP from local network
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

driftfile /var/lib/ntp/drift
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 127.127.1.0   # local clock
fudge 127.127.1.0 stratum 10
EOF

/etc/init.d/ntpd restart
