Why does NTP daemon keep listening on UDP6?
Solution 1
I have been able to disable IPv6 for NTP on my Debian 5/6/7 and Ubuntu 12.04 this way :
Edit file /etc/default/ntp
and replace
NTPD_OPTS='-g'
by
NTPD_OPTS='-4 -g'
Then, you can keep your directives in ntp.conf
, they are not ignored :
interface ignore wildcard
interface listen <local_nic_ip>
- Without
interface ignore wildcard
NTP will also listen on0.0.0.0
- Without
interface listen <local_nic_ip>
NTP will only listen on127.0.0.1
(of course)
This will results in :
# netstat -anp | grep :123
udp 0 0 192.168.0.38:123 0.0.0.0:* 2901/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2901/ntpd
Also, i confirm that OpenNTPD
listens where you ask him to listen more friendly (no need to edit multiple config files). By default it listens nowhere until you configure it to do so (very secure) ;)
In config file, just uncomment line
listen on 127.0.0.1
And add line
listen on <local_nic_ip>
Results in :
# netstat -anp | grep :123
udp 0 0 192.168.0.38:123 0.0.0.0:* 8581/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 8581/ntpd
Solution 2
If you consider this a bug (and I certainly do: ntpd
is ignoring a configuration directive) you're going to have to take it up with the package maintainer or upstream authors. I don't believe any of them hang out here - refer to the package information for their contact details.
Alternatively you could try another NTP implementation (like OpenNTPD - I've not used it personally, but the OpenBSD folks tend to be absolutely paranoid about security, so I imagine it only listens where it's told to).
As Sander pointed out though, your NTP daemon is listening on localhost (127.0.0.1
& ::1
) - If you're worried about being hacked from localhost you probably have bigger problems than your NTP daemon.
I'm a bit miffed that the daemon is ignoring a configuration directive, but I wouldn't consider this a serious security concern.
Related videos on Youtube
Howard
Updated on September 18, 2022Comments
-
Howard over 1 year
I have a clean Debian 7 installation, and I manually entered the following lines in /etc/ntp.conf:
interface ignore wildcard interface listen <local_nic_ip>
Hoping that NTP will no longer listen on UDP6, but after a restart, it still does:
5:udp 0 0 <local_nic_ip>:123 0.0.0.0:* 9172/ntpd 6:udp 0 0 127.0.0.1:123 0.0.0.0:* 9172/ntpd 8:udp6 0 0 ::1:123 :::* 9172/ntpd
The command line of NTP shows nothing unusual:
/usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 121:130
How to stop NTP from listening on that UDP6 port?
-
Semirke over 10 yearsWhat is your problem with listening? Isnt it enough for you if ntpd uses ipv4 for DNS resolution? Im asking this as ntpd will always bind to all wildcard addressess. But you can specify IPv4 only DNS, use firewall to block ip6 traffic, or use ntp.conf to restrict ipv6 traffic.
-
Howard over 10 years@Semirke It makes me nervous when I tell a program to do something, yet it does something totally unexpected. Why does NTP listen on UDP6 when I told it not to?
-
Sander Steffann over 10 yearsIt's listening on localhost on both IPv4 (127.0.0.1) and IPv6 (::1). Are you sure you haven't configured it to listen on localhost? Or maybe it always listens on localhost. Not sure about that. In either case it will not hurt.
-
-
Semirke over 10 yearshi, ntpd -4 will only make it to do ipv4 DNS queries. Ntpd will keep listening on IPV6. Also I agree with your OpenNTPD notion, that you can configure to not listen on ipv6.
-
krisFR over 10 years@Semirke I agree with you about the
-4
option and DNS queries, but the fact is that, by doing this, i have no more listener on my ipv6 interfaces for ntp (assuming i trustnetstat
output). -
dfc over 10 yearsAlways be wary of recommendations/suggestions when the person giving the recommendation confesses to never having used the product in question. If you need an alternative to ntp reference implementation try chrony. It is important to note that chrony and openntpd do not support a lot of the extended features of the reference implementation.
-
voretaq7 over 10 years@dfc Beware of recommendations in general: All software recommendations should be evaluated for suitability in a given environment before blindly implementing them. In this case I know a number of folks who use OpenNTPD (on OpenBSD), and they speak very well of it as a "basic NTP daemon". Obviously if you're using features of the reference implementation that it doesn't support it's not going to work for you.
-
JJC almost 9 yearsThanks. In case this helps someone, on CentOS 6.6 (and, thus, probably on Fedora and RHEL) the options are in this file: /etc/sysconfig/ntpd.