HPE Community
Operating System - HP-UX
1823366 Members
2706 Online
109654 Solutions
New Discussion юеВ

NTP listening for all network interfaces

 
Jos├й Enrique Gonz├бlez
Frequent Advisor

тАО01-22-2007 03:53 AM

тАО01-22-2007 03:53 AM

NTP listening for all network interfaces

HI:

I am detecting that my xntpd daemon has an active LISTEN socket created for every network interface in my server... even for virtual interfaces! As this could be a potential security bridge, is there any way to restrict xntpd to just opening a socket for the interface which is used for comunications with NTP server? Thanks in advance for your comments

Jose Enrique
0 Kudos
Reply
5 REPLIES 5
spex
Honored Contributor

тАО01-22-2007 04:09 AM

тАО01-22-2007 04:09 AM

Re: NTP listening for all network interfaces

Hi Jose,

According to the ntpd FAQ, ntpd listens on all interfaces:

6.2.6.1. My NTP Server has a number of IP Addresses for different Nets. Is there any way to request ntpd to attach to a specific Interface?

As far as I know, ntpd attaches to all interfaces. What happens if you have virtual adresses (interface aliases) depends on the operating system. For some operating systems ntpd listens to all adresses.

It is known that the issue is handled sub-optimal, and it's being worked on it...

http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm

PCS
0 Kudos
Reply
Ivan Krastev
Honored Contributor

тАО01-22-2007 07:43 AM

тАО01-22-2007 07:43 AM

Re: NTP listening for all network interfaces

Xntpd have internal mechanism for restricting access to certain ip's - http://docs.hp.com/en/B2355-90147/ch07s02.html#daibbacf


regards,
ivan
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-22-2007 07:47 AM

тАО01-22-2007 07:47 AM

Re: NTP listening for all network interfaces

Shalom Jose,

On Linux I've discovered that NTP does not by default listen on all interfaces. I've also not found any configuration changes that can be made to force it to do so.

We discovered this the hard way when we implemented a cluster on our ftp/dns/ntp server pair. To do the switch with no downtime we took one of the server names, the primary service provider and made it the floating ip address.

Soon after our internal ntp clients started to have sync problems.

netstat -an | grep 123

These results will show you what daemons are listening on port 123 and if you see an ip address of 0.0.0.0 then all interfaces are listening as well as floating ip addresses. if you see anything else, all interfaces and floating ip addresses are not listening.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО01-22-2007 08:09 AM

тАО01-22-2007 08:09 AM

Re: NTP listening for all network interfaces

The ntpd has an option that is:

-L : Do not listen to virtual IPs.

You can modify ntpd startup options in /etc/sysconfig/ntpd if you are using redhat/fedora.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
rick jones
Honored Contributor

тАО01-22-2007 12:34 PM

тАО01-22-2007 12:34 PM

Re: NTP listening for all network interfaces

As an interim measure, you could enable ipfilter and use it to filter any ntp traffic which happened to go to/from the IPs you didn't want it to. More on configuring ipfilter is likely in the stuff on docs.hp.com.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.