Why does NTP daemon keep listening on UDP6?

I have been able to disable IPv6 for NTP on my Debian 5/6/7 and Ubuntu 12.04 this way :

Edit file /etc/default/ntp and replace

NTPD_OPTS='-g'

by

NTPD_OPTS='-4 -g'

Then, you can keep your directives in ntp.conf, they are not ignored :

interface ignore wildcard
interface listen <local_nic_ip>
  • Without interface ignore wildcard NTP will also listen on 0.0.0.0
  • Without interface listen <local_nic_ip> NTP will only listen on 127.0.0.1 (of course)

This will results in :

# netstat -anp | grep :123
udp    0      0 192.168.0.38:123     0.0.0.0:*                 2901/ntpd
udp    0      0 127.0.0.1:123        0.0.0.0:*                 2901/ntpd

Also, i confirm that OpenNTPD listens where you ask him to listen more friendly (no need to edit multiple config files). By default it listens nowhere until you configure it to do so (very secure) ;)

In config file, just uncomment line

listen on 127.0.0.1

And add line

listen on <local_nic_ip>

Results in :

# netstat -anp | grep :123
udp   0    0 192.168.0.38:123     0.0.0.0:*                 8581/ntpd
udp   0    0 127.0.0.1:123        0.0.0.0:*                 8581/ntpd

If you consider this a bug (and I certainly do: ntpd is ignoring a configuration directive) you're going to have to take it up with the package maintainer or upstream authors. I don't believe any of them hang out here - refer to the package information for their contact details.

Alternatively you could try another NTP implementation (like OpenNTPD - I've not used it personally, but the OpenBSD folks tend to be absolutely paranoid about security, so I imagine it only listens where it's told to).

As Sander pointed out though, your NTP daemon is listening on localhost (127.0.0.1 & ::1) - If you're worried about being hacked from localhost you probably have bigger problems than your NTP daemon.
I'm a bit miffed that the daemon is ignoring a configuration directive, but I wouldn't consider this a serious security concern.