[ntp:questions] NTPD : cannot stop listening on *:ntp to world and his dog

Dave Hart hart at ntp.org
Sat Oct 15 14:37:50 UTC 2011


On Sat, Oct 15, 2011 at 11:57, ziikell101 <joekong20 at yahoo.com> wrote:
>
> Hi there,
>
>        I have ntp running, but its listening to everyone on udp 123.  I tried
> to restrict this with these settings in the ntp.conf (Debian Squeeze)
> but the port is always listening to the world+dog as shown in the lsof
> o/p below:
>
> # lsof -i udp:123
> COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> ntpd    11011  ntp   16u  IPv4 478025      0t0  UDP *:ntp
> ntpd    11011  ntp   17u  IPv6 478026      0t0  UDP *:ntp
> ntpd    11011  ntp   18u  IPv4 478032      0t0  UDP localhost:ntp
> ntpd    11011  ntp   19u  IPv4 478033      0t0  UDP logout:ntp
> ntpd    11011  ntp   20u  IPv6 478034      0t0  UDP ip6-localhost:ntp
> ntpd    11011  ntp   21u  IPv6 478035      0t0  UDP
> [fe80::21c:14ff:fe01:234d]:ntp
>
> cat /etc/ntp.conf
> restrict -4 default kod nomodify notrap nopeer
> restrict -6 default kod nomodify notrap nopeer
> restrict -4 127.0.0.1
> restrict -6 ::1
> server 0.debian.pool.ntp.org iburst
> server 1.debian.pool.ntp.org iburst
>
> Does anyone know how to stop NTP from listening to the *:ntp port, other
> than by using iptables to drop or reject on it.
>
> ntp version 1:4.2.6.p2+dfsg-1+b1

What are you trying to accomplish here?  You say you want it to not
listen on *:ntp, e.g. not listen on port 123.  You can fine-tune which
local addresses are used by ntpd with the interface command:

http://doc.ntp.org/4.2.6p2/miscopt.html#interface

However, you can't choose the port.  ntpd always uses 123, even in
"leaf" configuration which goes out of its way to deny time service.
If you stop ntpd from using *:ntp, it won't work as a client, either.
If you want to deny time service, these restrict statements should do
it:

restrict default ignore
restrict source notrap nopeer noquery
restrict 127.0.0.1
restrict ::1

Note your configuration mentions "kod" without "limited" in the
default restrictions, which is equivalent to not specifying "kod" as
the code that sends KoDs is not exercised without rate limiting
enabled.  Also nomodify is a subset of noquery, so doesn't need to be
listed with it in my example.  See:

http://doc.ntp.org/4.2.6p2/accopt.html#restrict

Cheers,
Dave Hart


More information about the questions mailing list