Disable NTP Server of 2.0.2?

srynoname · Dec 22, 2012, 12:30 PM

For security reasons I want to disable the NTP server on my pfsense 2.0.2 installation / let it listen on no interface, however in 2.0.2, if no interface is selected, it will listen on all interfaces according to http://blog.pfsense.org/?p=676:

NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. You can still do selective interface binding to control which IPs will accept traffic, but be aware that the default behavior has changed.

So, how can I disable the NTP service? Thanks :-)

biggsy · Dec 22, 2012, 9:59 PM

From the point of view of minimizing attack surface, I sort of understand the "security reasons" but, if you only listen on LAN, for example, there is this to consider:

http://en.wikipedia.org/wiki/Network_Time_Protocol#Security_concerns

That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange. It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

Very nice to have a real NTP included though.

dhatz · Dec 22, 2012, 10:31 PM

@biggsy:

That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange. It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

Actually most pfSense daemons listen on all interfaces including dnsmasq, lighttpd/webGUI, syslogd, ssh etc (check the output of sockstat -4l), and the system relies on pf to block traffic to them.

biggsy · Dec 22, 2012, 10:42 PM

Actually most pfSense daemons listen on all interfaces …

A fair comment.

I was really just saying that where a selection of interfaces is offered elsewhere in the GUI "all" is not the default.

jimp · Dec 22, 2012, 11:57 PM

Block access to the service with firewall rules.

This daemon requires binding/listening to at least one adapter to function as an NTP client, there isn't a way around that requirement. Blocking with firewall rules is sufficient to lock the service down.

srynoname · Dec 23, 2012, 10:40 AM

Thank you all. I really forgot about the firewall rules ::)

This daemon requires binding/listening to at least one adapter to function as an NTP client

I understand this, just not this from the blog:

NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies.

It does not have to bind to all interfaces, it's enough if it binds e.g. on WAN to contact the public NTP servers?

jimp · Dec 23, 2012, 3:05 PM

Yes, that is enough, or if you have the usual NAT rules, binding on LAN is OK too.