Operating System - HP-UX
1820390 Members
3467 Online
109623 Solutions
New Discussion юеВ

NTP listening for all network interfaces

 

NTP listening for all network interfaces

HI:

I am detecting that my xntpd daemon has an active LISTEN socket created for every network interface in my server... even for virtual interfaces! As this could be a potential security bridge, is there any way to restrict xntpd to just opening a socket for the interface which is used for comunications with NTP server? Thanks in advance for your comments

Jose Enrique
5 REPLIES 5
spex
Honored Contributor

Re: NTP listening for all network interfaces

Hi Jose,

According to the ntpd FAQ, ntpd listens on all interfaces:

6.2.6.1. My NTP Server has a number of IP Addresses for different Nets. Is there any way to request ntpd to attach to a specific Interface?

As far as I know, ntpd attaches to all interfaces. What happens if you have virtual adresses (interface aliases) depends on the operating system. For some operating systems ntpd listens to all adresses.

It is known that the issue is handled sub-optimal, and it's being worked on it...

http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-s-config.htm

PCS
Ivan Krastev
Honored Contributor

Re: NTP listening for all network interfaces

Xntpd have internal mechanism for restricting access to certain ip's - http://docs.hp.com/en/B2355-90147/ch07s02.html#daibbacf


regards,
ivan
Steven E. Protter
Exalted Contributor

Re: NTP listening for all network interfaces

Shalom Jose,

On Linux I've discovered that NTP does not by default listen on all interfaces. I've also not found any configuration changes that can be made to force it to do so.

We discovered this the hard way when we implemented a cluster on our ftp/dns/ntp server pair. To do the switch with no downtime we took one of the server names, the primary service provider and made it the floating ip address.

Soon after our internal ntp clients started to have sync problems.

netstat -an | grep 123

These results will show you what daemons are listening on port 123 and if you see an ip address of 0.0.0.0 then all interfaces are listening as well as floating ip addresses. if you see anything else, all interfaces and floating ip addresses are not listening.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ivan Ferreira
Honored Contributor

Re: NTP listening for all network interfaces

The ntpd has an option that is:

-L : Do not listen to virtual IPs.

You can modify ntpd startup options in /etc/sysconfig/ntpd if you are using redhat/fedora.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
rick jones
Honored Contributor

Re: NTP listening for all network interfaces

As an interim measure, you could enable ipfilter and use it to filter any ntp traffic which happened to go to/from the IPs you didn't want it to. More on configuring ipfilter is likely in the stuff on docs.hp.com.
there is no rest for the wicked yet the virtuous have no pillows