Does NTPd have to listen on an interface or address for updating the server time?

ntpd

Solution 1:

Listening on localhost makes sense if you want to run to queries on the local box. For examle, ntpq -p localhost will query the ntp service running on your local box.

In general you probably want ntpd to listen on all real addresses that it needs to send or receive updates on. If you are running ipv6 you need to list the ipv6 addresses as well, otherwise just list the real server ip addresses and ipv4 localhost.

Solution 2:

If you just want to update the local time you should probably restrict access to the server, since ntpd doesn't support configuring the listen adresses.

First thing to configure is the default policy. You can either block all communication not enabled afterwards, but remember that restrictions work for client and server bothway.

restrict default ignore
# Allow access to localhost
restrict 127.0.0.1
restrict IP.OF.UPSTREAM.SERVER

Or you could allow the exchange of time by default and allow querying the server only to the localhost: 

restrict -4 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1

Also ntpd allows chosing the interface it runs on via the -I switch. If you are running Debian you can simply add that -I switch to the NTPD_OPTS variable in /etc/defaults/ntpd.

ntpd -I eth0

Related

Estimating the time needed for a resize2fs shrink
Postfix : Relaying all incoming mail to another host
Can you import a SSL certificate from another Windows IIS 7 server?
Generating a lot of dirty pages is blocking synchronous writes
Other options to "balance source" in haproxy
How do I put a bridge on top of a bonded interface?
Why don't more organizations configure NAT U-turns/hairpins?
How to find out who deleted Event Viewer logs
Why can't I access Tomcat externally?
DNS Round-robin failover and load balancing
Ansible : using different sudo user for different hosts
FTP issue - VSFTPd and connecting to from FileZilla