CentOS - Jun 2009 - how to set ntpd listen only 127.0.0.1 ?

Hello, all.

 

I would like to use ntpd for time sync not rdate or ntpdate.

 

but after installation the ntpd, I found that listened at all interfaces like
below.

 

udp        0      0 192.168.111.2:123           0.0.0.0:*                       
11528/ntpd
udp        0      0 xxx.xxx.62.20:123           0.0.0.0:*                       
11528/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                       
11528/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                       
11528/ntpd


 

Is there any way or option that only listen 127.0.0.1 for security reason?

 

 

Thanks in advacne.

_________________________________________________________________
???? ????! ??? ??? ???? ????! ??? ??! 25GB ???? ?! ???? ??? ?? ??
http://im.msn.co.kr/Univ/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090612/48f6cbb5/attachment-0001.html>

Hi,

2009/6/11 MontyRee <chulmin2 at hotmail.com>:
> Is there any way or option that only listen 127.0.0.1?
I don't think so. NTP is an UDP protocol, and its packets have both
source and destination port 123, so the machine that is using NTP to
set its own clock (NTP "client") needs to listen on port 123 UDP to
receive the replies from the NTP "server".
> for security reason?
Look into the "restrict" commands in ntp.conf to implement security
policies on NTP. You can find information on how it works on "man
ntp_acc".

If you use a fixed list of NTP servers that have fixed IPs, you can
also use iptables to block access to port 123 UDP to all except those
hosts.

HTH,
Filipe

2009/6/12 MontyRee <chulmin2 at hotmail.com>:
> Hello, all.
>
> I would like to use ntpd for time sync not rdate or ntpdate.
>
> but after installation the ntpd, I found that listened at all interfaces
> like below.
>
> udp        0      0 192.168.111.2:123
> 0.0.0.0:*                               11528/ntpd
> udp        0      0 xxx.xxx.62.20:123
> 0.0.0.0:*                               11528/ntpd
> udp        0      0 127.0.0.1:123               0.0.0.0:*             &
> nbsp;                 11528/ntpd
> udp        0      0 0.0.0.0:123
> 0.0.0.0:*                               11528/ntpd
>
>
> Is there any way or option that only listen 127.0.0.1 for security reason?
>
>
> Thanks in advacne.
>
> ________________________________
> ???? ????! ??? ??? ???? ????! ??? ??! 25GB ???? ?! ???? ??? ?? ??!
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
You could also ditch the ntp daemon (uncheck it in ntsysv) in favour
of running `ntpdate some.time.server` every now and then from cron.
e.g.
@hourly /usr/sbin/ntpdate ro.pool.ntpdate.org

Sure, it might not be as elegant and practical, but it works.

From: MontyRee <chulmin2 at hotmail.com>
> I would like to use ntpd for time sync not rdate or ntpdate.
> but after installation the ntpd, I found that listened at all interfaces
like below.
> udp        0      0 192.168.111.2:123           0.0.0.0:*                  
11528/ntpd
> udp        0      0 xxx.xxx.62.20:123           0.0.0.0:*                  
11528/ntpd
> udp        0      0 127.0.0.1:123               0.0.0.0:*             &
nbsp;                 11528/ntpd
> udp        0      0 0.0.0.0:123                 0.0.0.0:*                  
11528/ntpd
> Is there any way or option that only listen 127.0.0.1 for security reason?
Another option would be to firewall the unwanted ports...

JD