On Sat, 07 Jan 2017, Eero Volotinen wrote: > Default ntpd does listens allways all interfaces. You need to install
You can restrict the standard ntp daemon services, and it won't *reply*. You can also restrict its bind addresses, so it won't listen to every interface it detects. Usually, high-gain amplification attacks are the only thing we need to restrict by default, and those are restricted to localhost by default in Debian (I don't know since when, but Debian Jessie's defaults are correct). > openntpd or limit access to ntp port with iptables. If you're limiting access to the ntp port, it doesn't matter if you use secure but incomplete opentpd, or horrid-security-track-record, but fully-fledged ntpd. For client-only, openntpd is likely a better choice, yes. Better yet, use "chrony", which is optimized for desktop/laptops (which get disconnected/powered off/suspended often). ntp - time servers, high-precision time clients. opentpd - always-on medium-precision time clients. chrony - everything else. > > On 01/07/2017 09:33 AM, Mart van de Wege wrote: > >> Turns out the Debian default is indeed to provide time service if you > >> install NTP. Shouldn't that be limited to localhost only, so that an We already limit the large-amplification attacks to localhost. Regular ntp service works out-of-the-box, that means allowing client-server clock queries. But regular ntp service has a low amplification factor, so it is usually not considered a problem at the network level. -- Henrique Holschuh
