NTPD – How to Prevent Listening on 0.0.0.0:123

debianlinuxntpd

ntpd listens on numerous interfaces by default, I only want it to listen on 127.0.0.1:123 since I only want the localhost to sync the time.

How to do that, I tried by editing /etc/default/ntp on Debian Wheezy:

NTPD_OPTS='-4 -I 127.0.0.1'

But it still listens globally on 0.0.0.0:123

Any ideas?

Best Answer

Remove all -I or --interface options from /etc/default/ntp and insert the following into your /etc/ntp.conf:

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
# NOTE: if you want to update your time using remote machines,
# add at least one remote interface address:
#interface listen 2001:db8::1
#interface listen 192.0.2.1

An excerpt from the ntpd(1) manual page about the -i option:

This option also implies not opening other addresses, except wildcard and localhost. Please consider using the configuration file interface command, which is more versatile.

See also the Debian manual page (I could not find it in Arch Linux one) of ntp.conf(5).

Related Solutions

Problem Synchronizing Server Time with ntpd – Solutions

Many distributions these days are configuring ntpd to restrict access. If restrict lines are present in your server's /etc/ntp.conf, only hosts/networks matching those lines will be permitted to connect to ntpd. You probably need to add additional restrict lines for the hosts or networks you want to allow to sync to your server. For example, to let the client you mentioned sync, add one of the following lines:

# allow just this host
restrict 10.99.84.134 nomodify notrap

# or allow the whole /24 segment
restrict 10.99.84.0 mask 255.255.255.0 nomodify notrap

After that, restart ntpd, and your clients should be able to sync.

NTPd – Does NTPd Need to Listen on Interface or Address for Server Time Update?

Listening on localhost makes sense if you want to run to queries on the local box. For examle, ntpq -p localhost will query the ntp service running on your local box.

In general you probably want ntpd to listen on all real addresses that it needs to send or receive updates on. If you are running ipv6 you need to list the ipv6 addresses as well, otherwise just list the real server ip addresses and ipv4 localhost.

Best Answer

Related Solutions

Problem Synchronizing Server Time with ntpd – Solutions

NTPd – Does NTPd Need to Listen on Interface or Address for Server Time Update?

Related Topic