[ntp:questions] NTPD : cannot stop listening on *:ntp to world and his dog
Dave Hart
davehart at gmail.com
Sat Oct 22 17:29:34 UTC 2011
[I'm sorry to those who saw this reply a week ago. I posted it via the mailing list, didn't see it here on Google Groups' copy of comp.protocols.time.ntp, then inquired and found it had been forwarded to the newsgroup. Steve Kostecke resubmitted the article for distribution a few days ago, but for some reason it still didn't make it to Google Groups, so I'm posting via same.]
On Sat, Oct 15, 2011 at 11:57, ziikell101 <joekong20 at yahoo.com> wrote:
>
> Hi there,
>
> I have ntp running, but its listening to everyone on udp 123. I tried
> to restrict this with these settings in the ntp.conf (Debian Squeeze)
> but the port is always listening to the world+dog as shown in the lsof
> o/p below:
>
> # lsof -i udp:123
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> ntpd 11011 ntp 16u IPv4 478025 0t0 UDP *:ntp
> ntpd 11011 ntp 17u IPv6 478026 0t0 UDP *:ntp
> ntpd 11011 ntp 18u IPv4 478032 0t0 UDP localhost:ntp
> ntpd 11011 ntp 19u IPv4 478033 0t0 UDP logout:ntp
> ntpd 11011 ntp 20u IPv6 478034 0t0 UDP ip6-localhost:ntp
> ntpd 11011 ntp 21u IPv6 478035 0t0 UDP
> [fe80::21c:14ff:fe01:234d]:ntp
>
> cat /etc/ntp.conf
> restrict -4 default kod nomodify notrap nopeer
> restrict -6 default kod nomodify notrap nopeer
> restrict -4 127.0.0.1
> restrict -6 ::1
> server 0.debian.pool.ntp.org iburst
> server 1.debian.pool.ntp.org iburst
>
> Does anyone know how to stop NTP from listening to the *:ntp port, other
> than by using iptables to drop or reject on it.
>
> ntp version 1:4.2.6.p2+dfsg-1+b1
What are you trying to accomplish here? You say you want it to not
listen on *:ntp, e.g. not listen on port 123. You can fine-tune which
local addresses are used by ntpd with the interface command:
http://doc.ntp.org/4.2.6p2/miscopt.html#interface
However, you can't choose the port. ntpd always uses 123, even in
"leaf" configuration which goes out of its way to deny time service.
If you stop ntpd from using *:ntp, it won't work as a client, either.
If you want to deny time service, these restrict statements should do
it:
restrict default ignore
restrict source notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
Note your configuration mentions "kod" without "limited" in the
default restrictions, which is equivalent to not specifying "kod" as
the code that sends KoDs is not exercised without rate limiting
enabled. Also nomodify is a subset of noquery, so doesn't need to be
listed with it in my example. See:
http://doc.ntp.org/4.2.6p2/accopt.html#restrict
Cheers,
Dave Hart
More information about the questions
mailing list