Why does NTP daemon keep listening on UDP6?

linux ntp ipv6 service daemon

I have a clean Debian 7 installation, and I manually entered the following lines in /etc/ntp.conf:

interface ignore wildcard
interface listen <local_nic_ip>

Hoping that NTP will no longer listen on UDP6, but after a restart, it still does:

5:udp        0      0 <local_nic_ip>:123       0.0.0.0:*                           9172/ntpd       
6:udp        0      0 127.0.0.1:123           0.0.0.0:*                           9172/ntpd       
8:udp6       0      0 ::1:123                 :::*                                9172/ntpd

The command line of NTP shows nothing unusual:

/usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 121:130

How to stop NTP from listening on that UDP6 port?


I have been able to disable IPv6 for NTP on my Debian 5/6/7 and Ubuntu 12.04 this way :

Edit file /etc/default/ntp and replace

NTPD_OPTS='-g'

by

NTPD_OPTS='-4 -g'

Then, you can keep your directives in ntp.conf, they are not ignored :

interface ignore wildcard
interface listen <local_nic_ip>
  • Without interface ignore wildcard NTP will also listen on 0.0.0.0
  • Without interface listen <local_nic_ip> NTP will only listen on 127.0.0.1 (of course)

This will results in :

# netstat -anp | grep :123
udp    0      0 192.168.0.38:123     0.0.0.0:*                 2901/ntpd
udp    0      0 127.0.0.1:123        0.0.0.0:*                 2901/ntpd

Also, i confirm that OpenNTPD listens where you ask him to listen more friendly (no need to edit multiple config files). By default it listens nowhere until you configure it to do so (very secure) ;)

In config file, just uncomment line

listen on 127.0.0.1

And add line

listen on <local_nic_ip>

Results in :

# netstat -anp | grep :123
udp   0    0 192.168.0.38:123     0.0.0.0:*                 8581/ntpd
udp   0    0 127.0.0.1:123        0.0.0.0:*                 8581/ntpd

If you consider this a bug (and I certainly do: ntpd is ignoring a configuration directive) you're going to have to take it up with the package maintainer or upstream authors. I don't believe any of them hang out here - refer to the package information for their contact details.

Alternatively you could try another NTP implementation (like OpenNTPD - I've not used it personally, but the OpenBSD folks tend to be absolutely paranoid about security, so I imagine it only listens where it's told to).

As Sander pointed out though, your NTP daemon is listening on localhost (127.0.0.1 & ::1) - If you're worried about being hacked from localhost you probably have bigger problems than your NTP daemon.
I'm a bit miffed that the daemon is ignoring a configuration directive, but I wouldn't consider this a serious security concern.

Related

Resetting an ESXi root password
Docker VM on OS X installed but commands appear to fail [closed]
Samba server on CentOS sees shared directories, but no files visible
Is there a way to programatically update DNS records?
How to enable RBL checking in postfix?
Ansible repeating roles
Nginx Site Config Templates and Variables
Limit SSH key to SCP only
Search Active Directory for computers logged in, in the last 30 days
Loop through servers and run command
Is it still allowed to have log files under the new GDPR? [closed]
Is it normal that one can access MySQL as root without entering password, although password is set?