Specify the servers you're interested in:

server  otherntp.server.org   # A stratum 1 server at server.org
server  ntp.research.gov      # A stratum 2 server at research.gov

Restrict the type of access you allow these servers. In this example, the servers are not allowed to modify the run-time configuration or query your Linux NTP server

restrict otherntp.server.org   mask 255.255.255.255 nomodify
notrap noquery
restrict ntp.research.gov      mask 255.255.255.255 nomodify
notrap noquery

The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.

If this server is also going to provide time for other computers, such as PCs, other Linux servers, and networking devices, then you'll have to define the networks from which this server will accept NTP synchronization requests. You do so with a modified restrict statement with the noquery replaced with a notrust keyword. This allows the network to query your NTP server, but it won't be trusted to be a source of NTP synchronization data. The syntax is:

restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.

Make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords:

restrict 127.0.0.1

Save the file and restart NTP for the settings to take effect.