NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.
ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.
Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
directive specifies which addresses or interfaces to use to accept queries instead of all interfaces and addresses.
In the absence of this directive
will listen on and accept all NTP packets on all IP addresses with the exception on the wildcard addresses where it will accept all packets but drop them when they arrive.
When there is more than one listen-on directive or -I command line option the last one added will be used if it applies and that command line options will be checked before configuration options.
The localhost IP addresses (127.0.0.1 and ::1) will always be able to accept packets unless explicitly disabled by a listen-on directive. This is necessary if DNS lookup is delayed and allows local monitoring. If you choose to disable this you will not be able to check for DNS addresses if you are using names instead of addresses for NTP servers.
directive takes an address or interfaces and will optionally take a directive
directives will append to the existing list. The last valid address/interface listed will be used.
The syntax of the configuration option is as follows:
listen-on address|interface|keyword [ accept|drop|ignore ] [prefixlen nn]
The descriptions of these options are as follows:
accept - this address or interface should accept and process packets received. This is the default.
drop - this address or interface should accept packets but drop the packet when received
ignore - this address or interface will not be used to receive packets
In addition to actual IP addresses and interface names the listen-on syntax accepts the following keywords:
all - all IP addresses available on the system
wild - the wildcard addresses (0.0.0.0 and ::)
ipv4 - the IPv4 addresses available on the system
ipv6 - the IPv6 addresses available on the system
localhost - the localhost addresses (127.0.0.1 and ::1)
is used to indicate that the IP address is a network mask with a subnet length of nn.
- 29 May 2009
listen-on 220.127.116.11 accept
listen-on 18.104.22.168 ignore prefixlen 24
listen-on eth1 drop
listen-on ipv6 ignore
In this example
will not bind to any IPv6 addresses, will bind to all IPv4 addresses on eth1 but drop all packets received on those addresses , not bind to address 22.214.171.124. and accept packets IP address 126.96.36.199
If the system is not using any listen-on directives or the -I command-line option then the affect will be as follows:
listen-on all accept
listen-on wild drop
but this in not necessary to add to a configuration file.
To listen and accept packets on only one address you just need to do this:
listen-on all ignore
The query-on directive will also explicitly and quietly add to the listen-on list but only if the listen-on list exists since a NTP packet going out on a specific IP address needs to be received and process on that very same process. It is only necessary to do this for queries using the standard NTP port. Requests going out on their own ports will not be part of the listen-on interface list.
list should be constructed with the most general entries first and more specific ones further down.
- 26 Apr 2009
Prefixlen has been added as a configuration option.
- 29 May 2009