Stop ntpd from serving

Hornpipe2

Hornpipe2

I want to use ntpd as a background service to keep my system clock in sync at all times. But for some reason the service wants to start itself as a sort of time relay instead. How can I stop it from opening port 123 to the Universe, short of dropping connections in the firewall? There has got to be a way to put ntpd in "client mode only", I just can't figure out what it is.

Per the manual I tried putting
restrict default ignore
in /etc/ntp.conf, but sockstat -4 -l is still showing the port as active even after doing "killall ntpd" and then /etc/rc.d/ntpd start
 
Try using restrict:
Code: 
restrict default ignore
restrict 127.0.0.1
server 0.tw.pool.ntp.org
server 1.tw.pool.ntp.org
server 2.tw.pool.ntp.org
restrict 0.tw.pool.ntp.org
restrict 1.tw.pool.ntp.org
restrict 2.tw.pool.ntp.org

This way only the servers you specify can sync with ntpd. The port has to remain open, but queries will be turned down.
 
Remove ntpd and use openntpd. NTPD do not have option to restrict to certain ips, it means jail will be in trouble as it takes control of all ips. Configuration is also complicated. Just install openntpd from the ports. Another option is to use firewall to drop incoming ntpd traffic.
 
vivek said:
NTPD do not have option to restrict to certain ips,
Click to expand...
Yes, you can.

it means jail will be in trouble as it takes control of all ips.
Click to expand...
You don't need to run ntpd inside a jail, a jail gets the time from the host.
 
SirDice said:
Yes, you can.


You don't need to run ntpd inside a jail, a jail gets the time from the host.
Click to expand...

Sorry I mean limit binding to specific IPs and interfaces. We have some server with 50+ IPs and ntpd take control of all ips. There is no option under 7.2 or earlier version, to bind ntpd to a specific ip or interface. Though latest version claims to support binding feature, but it is not included in any production base system.
 
dennylin93 said:
Code: 
restrict default ignore
restrict 127.0.0.1
server 0.tw.pool.ntp.org
server 1.tw.pool.ntp.org
server 2.tw.pool.ntp.org
restrict 0.tw.pool.ntp.org
restrict 1.tw.pool.ntp.org
restrict 2.tw.pool.ntp.org
Click to expand...

Thanks, this worked perfectly (verified with remote nmap). I still plan on blocking incoming connections to 123 with the firewall but this is just extra security : )
 
You must log in or register to reply here.
Back
Top