Which Distro for hardened NTP server?

[GordonCopestake]

Hi Folks,
i'm looking for a linux distro for a hardened NTP time server for my network. It will be running on a dedicated 1U box JUST for the NTP stuff so cycles are not a stress. However I have a few requirements:

fast install, if it goes down it has to be back up again in less than an hour
automatic security updates, like an emerge -u world type thing that I can cron
secured. I only need SSH and NTP open and it must be hardened, preferably out of the box
I have no need of any other apps so the more minimal the better. It's headless so no X needed

Gentoo seems to leap out of the list, but I dont have the time to build it so a binary install would be a better bet for us. I would go with slackware but i would like a distro that is updated more often in the face of security alerts etc

Any thoughts?

[GordonCopestake]

Oh, additional information: I will be using both a GPS source and a Radio source as my primary datum in addition to the onboard clock. I assume that these type of devices are well supported in the kernel

[anomie]

A few thoughts on this -- might help, might not.

fast install, if it goes down it has to be back up again in less than an hour

A couple different possibilities come to mind:

• Image the box with something like Ghost 4 Unix, and/or keep a cold spare around that can be brought online if the primary fails. and/or...
• Run a ntpd server within a FreeBSD jail, and keep a copy of the production jail. If the jailed environment becomes compromised somehow (or otherwise damaged/corrupted), simply wipe out the borked version and start up the copy. or...
• Run a ntpd server within a virtualized environment on any Linux distro that supports it well. (vmware? qemu?) Same concept as with a FreeBSD jail. You have a copy that you can bring up very quickly if the prod version gets into trouble. or...
• After configuring things the way you'd like them, create a live cd (based on a Linux distro). This can obviously be deployed very quickly among machines with the same or very similar hardware.

Note: These are just options to consider. Every single one of these options will require a lot of research and practice to understand and implement. (Way beyond the scope of this thread.)

automatic security updates, like an emerge -u world type thing that I can cron

This should be possible with FreeBSD (freebsd-update for base system), RH/CentOS (yum), Debian (apt-get), etc.

Personally, I never automate something like this. I test updates in a safe environment rather than just roll them out into production...

I only need SSH and NTP open and it must be hardened, preferably out of the box

Some BSDs / GNU/Linux distros are better than others in this area. I'd say you are going to want to understand how to configure and harden sshd and ntpd on your own.

I will be using both a GPS source and a Radio source as my primary datum in addition to the onboard clock. I assume that these type of devices are well supported in the kernel

I have zero familiarity with hardware that falls into those categories. You'll have a lot of research (google, hardware support mailing lists) to do to answer that point/question.

Anyway, that's a start hopefully. Good luck.

[GordonCopestake]

Thanks for the tips, very much appreciated