Scenario / Questions
I’ve noticed this for a while, and it’s never made any sense to me:
ntpd need to listen on so many addresses?
For example, a Debian machine:
$ netstat Proto Local Address Foreign Address Program name udp 0.0.0.0:123 0.0.0.0:* ntpd udp 127.0.0.1:123 0.0.0.0:* ntpd udp [LAN]:123 0.0.0.0:* ntpd udp [IPv4]:123 0.0.0.0:* ntpd udp6 :::123 :::* ntpd udp6 ::1:123 :::* ntpd udp6 [link-local] :::* ntpd udp6 [IPv6] :::* ntpd
netstat listing shows
nptd listening on the broadcast, local, LAN, and global addresses, for IPv4 and IPv6.
ntpd so promiscuous?
Find below all possible solutions or suggestions for the above questions..
From my reading of this page, it appears that ntp doesn’t use the INADDR_ANY
0.0.0.0 address exclusively partly for security reasons, and partly for authentication reasons.
First port 123, is below 1024, and so is considered a privileged port, and only root can bind to that port. Ntp is typically set to drop privileges after it is started. From what I understand from the mail lists, and the article once the privileges are dropped can’t open a socket to reply from correct source port of 123, so ntp opens up sockets for every assigned address before it drops privileges.
From what I have read some of the authentication mechanisms for ntp basically require that the source and destination port be 123, and nothing else.
The matter isn’t entirely clear. See the section about the wildcard address
0.0.0.0, it is opened by ntpd for some reason, but from the comments should never actually be used, except possible in some special rare cases, that the devs aren’t entirely sure about, but, they don’t want to remove the socket, just in case they break things.
Note that normally ntpd should not be accepting packets on the wildcard addresses since there are a number of problems if you do so including sending return packets on a different address from the sender’s requested address.
DannyMayer – 27 Apr 2009
I think the main answer to your question is in the above comment here.
It is not promiscuous at all. It’s just binding to the interface IP addresses and localhost, both on ipv4 and ipv6 protocols.
If you think it should not be listening to some of those, just change the
listen config as explained in the manual (this may be for a different version that you are using):
listen on address Specify a local IP address or a hostname the ntpd(8) daemon should listen on. If it appears multiple times, ntpd(8) will listen on each given address. If the exact string '*' is given as an address, ntpd(8) will listen on all local addresses. Other- wise, address can be followed by an asterisk ('*') and a UDP port number to listen on instead of the default 123. ntpd(8) does not listen on any address by default. For example: listen on * listen on 127.0.0.1 listen on ::1
In some other versions you will need to change the options to the
ntpd daemon itself to change on what protocols/interfaces to listen (options like
Kubernetes Free Online Tutorial, Kubernetes Beginner Tutorial
DevOps Free Online Tutorial, DevOps Beginner Tutorial
Ansible Free Online Tutorial, Ansible Beginner Tutorial
Docker Free Online Tutorial, Docker Beginner Tutorial
Openstack Free Online Tutorial, Openstack Beginner Tutorial
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.