Why does NTP daemon keep listening on UDP6?

linux ipv6 ntp service daemon

28,763

Solution 1

I have been able to disable IPv6 for NTP on my Debian 5/6/7 and Ubuntu 12.04 this way :

Edit file /etc/default/ntp and replace

NTPD_OPTS='-g'

NTPD_OPTS='-4 -g'

Then, you can keep your directives in ntp.conf, they are not ignored :

interface ignore wildcard
interface listen <local_nic_ip>

Without interface ignore wildcard NTP will also listen on 0.0.0.0
Without interface listen <local_nic_ip> NTP will only listen on 127.0.0.1 (of course)

This will results in :

# netstat -anp | grep :123
udp    0      0 192.168.0.38:123     0.0.0.0:*                 2901/ntpd
udp    0      0 127.0.0.1:123        0.0.0.0:*                 2901/ntpd

Also, i confirm that OpenNTPD listens where you ask him to listen more friendly (no need to edit multiple config files). By default it listens nowhere until you configure it to do so (very secure) ;)

In config file, just uncomment line

listen on 127.0.0.1

And add line

listen on <local_nic_ip>

Results in :

# netstat -anp | grep :123
udp   0    0 192.168.0.38:123     0.0.0.0:*                 8581/ntpd
udp   0    0 127.0.0.1:123        0.0.0.0:*                 8581/ntpd

Solution 2

If you consider this a bug (and I certainly do: ntpd is ignoring a configuration directive) you're going to have to take it up with the package maintainer or upstream authors. I don't believe any of them hang out here - refer to the package information for their contact details.

Alternatively you could try another NTP implementation (like OpenNTPD - I've not used it personally, but the OpenBSD folks tend to be absolutely paranoid about security, so I imagine it only listens where it's told to).

As Sander pointed out though, your NTP daemon is listening on localhost (127.0.0.1 & ::1) - If you're worried about being hacked from localhost you probably have bigger problems than your NTP daemon.
I'm a bit miffed that the daemon is ignoring a configuration directive, but I wouldn't consider this a serious security concern.

28,763

Howard

Updated on September 18, 2022

Comments

Howard over 1 year
I have a clean Debian 7 installation, and I manually entered the following lines in /etc/ntp.conf:
```
interface ignore wildcard
interface listen <local_nic_ip>
```
Hoping that NTP will no longer listen on UDP6, but after a restart, it still does:
```
5:udp        0      0 <local_nic_ip>:123       0.0.0.0:*                           9172/ntpd       
6:udp        0      0 127.0.0.1:123           0.0.0.0:*                           9172/ntpd       
8:udp6       0      0 ::1:123                 :::*                                9172/ntpd
```
The command line of NTP shows nothing unusual:
```
/usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 121:130
```
How to stop NTP from listening on that UDP6 port?
- Semirke over 10 years
  
  What is your problem with listening? Isnt it enough for you if ntpd uses ipv4 for DNS resolution? Im asking this as ntpd will always bind to all wildcard addressess. But you can specify IPv4 only DNS, use firewall to block ip6 traffic, or use ntp.conf to restrict ipv6 traffic.
- Howard over 10 years
  
  @Semirke It makes me nervous when I tell a program to do something, yet it does something totally unexpected. Why does NTP listen on UDP6 when I told it not to?
- Sander Steffann over 10 years
  
  It's listening on localhost on both IPv4 (127.0.0.1) and IPv6 (::1). Are you sure you haven't configured it to listen on localhost? Or maybe it always listens on localhost. Not sure about that. In either case it will not hurt.
Semirke over 10 years

hi, ntpd -4 will only make it to do ipv4 DNS queries. Ntpd will keep listening on IPV6. Also I agree with your OpenNTPD notion, that you can configure to not listen on ipv6.
krisFR over 10 years

@Semirke I agree with you about the -4 option and DNS queries, but the fact is that, by doing this, i have no more listener on my ipv6 interfaces for ntp (assuming i trust netstat output).
dfc over 10 years

Always be wary of recommendations/suggestions when the person giving the recommendation confesses to never having used the product in question. If you need an alternative to ntp reference implementation try chrony. It is important to note that chrony and openntpd do not support a lot of the extended features of the reference implementation.
voretaq7 over 10 years

@dfc Beware of recommendations in general: All software recommendations should be evaluated for suitability in a given environment before blindly implementing them. In this case I know a number of folks who use OpenNTPD (on OpenBSD), and they speak very well of it as a "basic NTP daemon". Obviously if you're using features of the reference implementation that it doesn't support it's not going to work for you.
JJC almost 9 years

Thanks. In case this helps someone, on CentOS 6.6 (and, thus, probably on Fedora and RHEL) the options are in this file: /etc/sysconfig/ntpd.