30

ntpd listens on numerous interfaces by default, I only want it to listen on 127.0.0.1:123 since I only want the localhost to sync the time.

How to do that, I tried by editing /etc/default/ntp on Debian Wheezy:

NTPD_OPTS='-4 -I 127.0.0.1'

But it still listens globally on 0.0.0.0:123

Any ideas?

JohnnyFromBF
  • 1,239
  • 6
  • 21
  • 25
  • I'm curious what your ultimate goal is here. Syncing with localhost doesn't make a lot of sense and won't work at all by default without a `fudge` statement. What are you trying to achieve? – Ladadadada Feb 05 '13 at 15:28
  • @Ladadadada We have a ntp server here within the LAN. Our linux clients should have the correct time, but instead of running an hourly cronjob `ntpdate -B timeserver` we wanted to run a ntpd on every client with only 127.0.0.1:123 which asks the timeserver in the LAN. Is there something wrong with it? – JohnnyFromBF Feb 05 '13 at 15:39
  • 4
    On a client, the listening port is only used for querying the current state of the daemon. The `server` lines in your `ntpd` client configs define who you sync with. If your `server` line(s) say `127.0.0.1`, you have a problem. If they point to your central timeserver, it should all be fine. – Ladadadada Feb 05 '13 at 15:47

4 Answers4

36

Remove all -I or --interface options from /etc/default/ntp and insert the following into your /etc/ntp.conf:

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
# NOTE: if you want to update your time using remote machines,
# add at least one remote interface address:
#interface listen 2001:db8::1
#interface listen 192.0.2.1

An excerpt from the ntpd(1) manual page about the -i option:

This option also implies not opening other addresses, except wildcard and localhost. Please consider using the configuration file interface command, which is more versatile.

See also the Debian manual page (I could not find it in Arch Linux one) of ntp.conf(5).

lxrw
  • 3
  • 2
Lekensteyn
  • 6,111
  • 6
  • 37
  • 55
  • 6
    ntp needs to bind on a routable interface to be able to sync with timeservers. See meepmeep's answer below. – organic-mashup Jul 25 '15 at 12:28
  • Alternatively to `interface ignore wildcard` an `interface ignore all` seems to do the same. Also for debugging: Active interface addresses will be logged (to ntpd's log file) as `Listen normally on ...` while ignored interface addresses will be logged as `Listen and drop on ...`. – U. Windl Dec 30 '19 at 13:50
19

With ntp listening only on 127.0.0.1, it looks like it can't initiate connection to a public ntp server :

$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
ks370079.kimsuf **.INIT.**       16 -    -   64    0    0.000    0.000   0.000

It must be bind to a routable ip address to work.

ColinM
  • 691
  • 8
  • 19
meepmeep
  • 191
  • 1
  • 2
  • Thanks for this observation and your example showing how to verify that this is indeed the case. – ColinM Mar 23 '15 at 20:31
7

Full /etc/ntp.conf that protocol neutral (IPv4 &| IPv6)

driftfile /var/lib/ntp/ntp.drift

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

restrict lo

interface ignore wildcard
interface listen lo
7

If you want to reduce the number of listening services for security reasons, openntpd might be considered, as it does not require a listen server to act as a client. It is considered slightly less accurate than ntpd; it is reliable within a few hundred ms, but this is suitable for most purposes.

copycat
  • 71
  • 1
  • 3