«
»
    

NTPD and the Terrible, Horrible, No Good, Very Bad Listening Sockets 

Trying to get ntpd to stop creating listening sockets is a royal pain in the ass. Sure, I can set a firewall rule that blocks access to the port on undesired interfaces, but it's more work to make that happen, and it's just not as clean. Here's what I finally ended up doing to stop creating default (0.0.0.0:123 for IPv4 and :::123 for IPv6) listeners and just set a listening socket on one address on my internal interface. Hopefully it helps someone else out.
 # Add to ntp.conf, in order
 interface ignore all
 interface ignore ipv4
 interface ignore ipv6
 interface listen 192.168.0.1

While there’s not a gaping security window with NTP, I just feel a little safer not having anything listening at all.

January 28, 2012 @ 11:41 am
Security, Software

2 Comments

  1. Comment by giulio:
    Saturday, November 10th 2012 at 8:56 am | 

    thank you!!! “interface ignore all” doesn’t stop listening on all sockets and this doesn’t make sense… We need to ignore also ipv4 and ipv6, as you said… this is a royal pain in the ass…

  2. Comment by Landis:
    Saturday, November 10th 2012 at 10:46 am | 

    My sentiments exactly! Glad I could help.

Leave a Reply

Your email address will not be published. Required fields are marked *