2

I wanted to tighten my security so I don't want to open any ports that are not really needed. I have no intentions of running an ntp server for other people to use, I only run the ntp daemon to keep the local clock synced, so I added these two lines to my /etc/ntp.conf:

interface ignore wildcard
interface listen lo

But after that, ntpd seems not to be able to reach servers, as experienced by:

# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 secondary.cleve .INIT.          16 -    -   64    0    0.000    0.000   0.000
 time.videxio.ne .INIT.          16 -    -   64    0    0.000    0.000   0.000
 ns0.luns.net.uk .INIT.          16 -    -   64    0    0.000    0.000   0.000
 rigel.retrosnub .INIT.          16 -    -   64    0    0.000    0.000   0.000
 europium.canoni .INIT.          16 -    -   64    0    0.000    0.000   0.000

It seems that configuration is making nptd not use those interfaces at all, not even to connect to other servers.

Does ntpd need to listen on external interfaces to be able sync the clock?

Pablo Fernandez
  • 7,438
  • 25
  • 71
  • 83

2 Answers2

2

As far as I can tell, ignore means don't open the adress/port, drop means open but ignore any and all traffic (though it might be able to use them still). So yeah, it seems to need the interface bound..

Reference: http://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#interface

NickW
  • 10,263
  • 1
  • 20
  • 27
0

I like to push "no-firewall-safe" configs even when I'm behind them, so I find it frustrating when a package doesn't offer control over interface binding. There is at least one alternative in (old) http://www.openntpd.org/ . For "classic" ntpd, http://support.ntp.org/bin/view/Support/AccessRestrictions has a short labyrinth of recommendations, which can be tested using your favorite queries (e.g. ntpdate from another host, check_ntp from the Nagios plugin suite, etc.).

astrostl
  • 690
  • 4
  • 11