NTPd listens on UDP port 123 (all IP addresses), by default. Is this necessary for just updating the server time?
If it's necessary to listen on an address, what single address should be used? The possible addresses it can listen on are:
- 127.0.0.1
- server IP
- ::1 (IPv6)
- server IP (IPv6)
Why does it even have to listen on localhost (127.0.0.1 and ::1)? Nobody can reach the server on that address.
To bind NTPd to a single address, the -I option can be used. For my Debian box, I had to edit /etc/default/ntp, and replace -g by:
-g -I 1.2.3.4 -I 127.0.0.1
This causes NTPd to listen on the public address 1.2.3.4 (replace it by your own) and 127.0.0.1.
If you just want to update the local time you should probably restrict access to the server, since ntpd doesn't support configuring the listen adresses.
First thing to configure is the default policy. You can either block all communication not enabled afterwards, but remember that restrictions work for client and server bothway.
Or you could allow the exchange of time by default and allow querying the server only to the localhost:
Also ntpd allows chosing the interface it runs on via the -I switch. If you are running Debian you can simply add that -I switch to the NTPD_OPTS variable in /etc/defaults/ntpd.
Listening on localhost makes sense if you want to run to queries on the local box. For examle,
ntpq -p localhostwill query the ntp service running on your local box.In general you probably want ntpd to listen on all real addresses that it needs to send or receive updates on. If you are running ipv6 you need to list the ipv6 addresses as well, otherwise just list the real server ip addresses and ipv4 localhost.