Why does ntpd listen on so many ports/addresses?
I’ve noticed this for a while, and it’s never made any sense to me:
Why does ntpd
need to listen on so many addresses?
For example, a Debian machine:
$ netstat Proto Local Address Foreign Address Program name udp 0.0.0.0:123 0.0.0.0:* ntpd udp 127.0.0.1:123 0.0.0.0:* ntpd udp [LAN]:123 0.0.0.0:* ntpd udp [IPv4]:123 0.0.0.0:* ntpd udp6 :::123 :::* ntpd udp6 ::1:123 :::* ntpd udp6 [link-local] :::* ntpd udp6 [IPv6] :::* ntpd
This (redacted) netstat
listing shows nptd
listening on the broadcast, local, LAN, and global addresses, for IPv4 and IPv6.
Why is ntpd
so promiscuous?
Solution 1:
From my reading of this page, it appears that ntp doesn't use the INADDR_ANY 0.0.0.0
address exclusively partly for security reasons, and partly for authentication reasons.
First port 123, is below 1024, and so is considered a privileged port, and only root can bind to that port. Ntp is typically set to drop privileges after it is started. From what I understand from the mail lists, and the article once the privileges are dropped can't open a socket to reply from correct source port of 123, so ntp opens up sockets for every assigned address before it drops privileges.
From what I have read some of the authentication mechanisms for ntp basically require that the source and destination port be 123, and nothing else.
The matter isn't entirely clear. See the section about the wildcard address 0.0.0.0
, it is opened by ntpd for some reason, but from the comments should never actually be used, except possible in some special rare cases, that the devs aren't entirely sure about, but, they don't want to remove the socket, just in case they break things.
Note that normally ntpd should not be accepting packets on the wildcard addresses since there are a number of problems if you do so including sending return packets on a different address from the sender's requested address. DannyMayer - 27 Apr 2009
I think the main answer to your question is in the above comment here.
Solution 2:
It is not promiscuous at all. It's just binding to the interface IP addresses and localhost, both on ipv4 and ipv6 protocols.
If you think it should not be listening to some of those, just change the listen
config as explained in the manual (this may be for a different version that you are using):
listen on address
Specify a local IP address or a hostname the ntpd(8) daemon
should listen on. If it appears multiple times, ntpd(8) will
listen on each given address. If the exact string '*' is given as
an address, ntpd(8) will listen on all local addresses. Other-
wise, address can be followed by an asterisk ('*') and a UDP port
number to listen on instead of the default 123. ntpd(8) does not
listen on any address by default. For example:
listen on *
listen on 127.0.0.1
listen on ::1
In some other versions you will need to change the options to the ntpd
daemon itself to change on what protocols/interfaces to listen (options like -4
, -6
, -I
)