# Stop ntpd from serving



## Hornpipe2 (Nov 22, 2009)

I want to use ntpd as a background service to keep my system clock in sync at all times.  But for some reason the service wants to start itself as a sort of time relay instead.  How can I stop it from opening port 123 to the Universe, short of dropping connections in the firewall?  There has got to be a way to put ntpd in "client mode only", I just can't figure out what it is.

Per the manual I tried putting
restrict default ignore
in /etc/ntp.conf, but sockstat -4 -l is still showing the port as active even after doing "killall ntpd" and then /etc/rc.d/ntpd start


----------



## dennylin93 (Nov 22, 2009)

Try using restrict:

```
restrict default ignore
restrict 127.0.0.1
server 0.tw.pool.ntp.org
server 1.tw.pool.ntp.org
server 2.tw.pool.ntp.org
restrict 0.tw.pool.ntp.org
restrict 1.tw.pool.ntp.org
restrict 2.tw.pool.ntp.org
```

This way only the servers you specify can sync with ntpd. The port has to remain open, but queries will be turned down.


----------



## vivek (Nov 22, 2009)

Remove ntpd and use openntpd. NTPD do not have option to restrict to certain ips, it means jail will be in trouble as it takes control of all ips. Configuration is also complicated. Just install openntpd from the ports. Another option is to use firewall to drop incoming ntpd traffic.


----------



## SirDice (Nov 22, 2009)

vivek said:
			
		

> NTPD do not have option to restrict to certain ips,


Yes, you can.



> it means jail will be in trouble as it takes control of all ips.


You don't need to run ntpd inside a jail, a jail gets the time from the host.


----------



## vivek (Nov 22, 2009)

SirDice said:
			
		

> Yes, you can.
> 
> 
> You don't need to run ntpd inside a jail, a jail gets the time from the host.



Sorry I mean limit binding to specific IPs and interfaces. We have some server with 50+ IPs and ntpd take control of all ips. There is no option under 7.2 or earlier version, to bind ntpd to a specific ip or interface. Though latest version claims to support binding feature, but it is not included in any production base system.


----------



## SirDice (Nov 22, 2009)

vivek said:
			
		

> Sorry I mean limit binding to specific IPs and interfaces.


Ah, yes. That it doesn't


----------



## Hornpipe2 (Nov 22, 2009)

dennylin93 said:
			
		

> ```
> restrict default ignore
> restrict 127.0.0.1
> server 0.tw.pool.ntp.org
> ...



Thanks, this worked perfectly (verified with remote nmap).  I still plan on blocking incoming connections to 123 with the firewall but this is just extra security : )


----------

