How to prevent ntpd to listen on 0.0.0.0:123?

ntpd listens on numerous interfaces by default, I only want it to listen on 127.0.0.1:123 since I only want the localhost to sync the time.

How to do that, I tried by editing /etc/default/ntp on Debian Wheezy:

NTPD_OPTS='-4 -I 127.0.0.1'

But it still listens globally on 0.0.0.0:123

Any ideas?

Remove all -I or --interface options from /etc/default/ntp and insert the following into your /etc/ntp.conf:

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
# NOTE: if you want to update your time using remote machines,
# add at least one remote interface address:
#interface listen 2001:db8::1
#interface listen 192.0.2.1

An excerpt from the ntpd(1) manual page about the -i option:

This option also implies not opening other addresses, except wildcard and localhost. Please consider using the configuration file interface command, which is more versatile.

See also the Debian manual page (I could not find it in Arch Linux one) of ntp.conf(5).

With ntp listening only on 127.0.0.1, it looks like it can't initiate connection to a public ntp server :

$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
ks370079.kimsuf **.INIT.**       16 -    -   64    0    0.000    0.000   0.000

It must be bind to a routable ip address to work.

Full /etc/ntp.conf that protocol neutral (IPv4 &| IPv6)

driftfile /var/lib/ntp/ntp.drift

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

restrict lo

interface ignore wildcard
interface listen lo