3

I have been trying to build and configure ntp clients and server, and used this line in the ntp.conf for the clients:

restrict default ignore

Still, I see that my client is listening on the local network interface. From the system log:

Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Listening on interface #1 wildcard, ::#123 Disabled
Listening on interface #2 vmnet8, fe80::250:56ff:fec0:8#123 Enabled
Listening on interface #3 lo, ::1#123 Enabled
Listening on interface #4 eth0, fe80::222:68ff:fe10:1529#123 Enabled
Listening on interface #5 vmnet1, fe80::250:56ff:fec0:1#123 Enabled
Listening on interface #6 lo, 127.0.0.1#123 Enabled
Listening on interface #7 eth0, 192.168.111.183#123 Enabled
Listening on interface #8 vmnet1, 172.16.139.1#123 Enabled

0-1 are disabled, which is good.

List of open ports using nmap -sUS -O 127.0.0.1:

Starting Nmap 4.53 ( http://insecure.org ) at 2009-08-03 12:25 IDT
Interesting ports on localhost (127.0.0.1):
Not shown: 3195 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
631/tcp  open          ipp
902/tcp  open          iss-realsecure-sensor
5432/tcp open          postgres
68/udp   open|filtered dhcpc
123/udp  open|filtered ntp
5353/udp open|filtered zeroconf
Device type: general purpose
Running: Linux 2.6.X

As you can see, ntp is listening on port 123. Why?

Any ideas?

Udi

Community
  • 1
Adam Matan
  • 13,194
  • 19
  • 55
  • 75
  • Is that the client listening, or the server? – genehack Aug 03 '09 at 09:21
  • Is it s problem to be listening on the local interface? If it is not listening on anything else then no client external to that machine is going to be able to connect or even see that the service it there. – David Spillett Aug 03 '09 at 09:22
  • @genehack It is the client. @David The port is open, IMHO it is open for externally. – Adam Matan Aug 03 '09 at 09:30
  • nmap shows 'ntp' on port 123 because that's the NTP port. That doesn't mean it's the ntp *client* process listening on that port. If you stop the NTP server, I bet that port is no longer bound... – genehack Aug 03 '09 at 10:05
  • AFAIK, the ntp daemon is both a server and a client - depends on configuration. – Adam Matan Aug 03 '09 at 10:25

3 Answers3

7

The answer seems to be type of protocol used: NTP uses UDP protocol, which is connectionless, and therefore needs an open port to receive the time from the server following the request.

I guess I will just have to keep that port open, as NTP has a very good security reputation.

Adam Matan
  • 13,194
  • 19
  • 55
  • 75
2

Is it actually trying to sync, though? My copy of 'man ntp.conf' suggests that default entries are automatically added to prevent the self-sync issue (which is what I assume you're worried about; if not, you may want to clarify what your question is):

Default restriction list entries with the flags ignore, interface, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., every- thing besides your own NTP server is unrestricted).

(ntpd 4.2.4p7)

genehack
  • 518
  • 1
  • 6
  • 9
1

From what i recollect, thats a server line.

Read the Controlling Access to Your Server section at this FreeBSD article

If you want to deny all machines from accessing your NTP server, add [that line to the server]

You might want to recheck with these Basic NTP configuration notes at TLDP-SAG pages.

nik
  • 7,100
  • 2
  • 25
  • 30