Why does NTP daemon keep listening on UDP6?
I have been able to disable IPv6 for NTP on my Debian 5/6/7 and Ubuntu 12.04 this way :
Edit file /etc/default/ntp and replace
NTPD_OPTS='-g'
by
NTPD_OPTS='-4 -g'
Then, you can keep your directives in ntp.conf, they are not ignored :
interface ignore wildcard
interface listen <local_nic_ip>
- Without
interface ignore wildcardNTP will also listen on0.0.0.0 - Without
interface listen <local_nic_ip>NTP will only listen on127.0.0.1(of course)
This will results in :
# netstat -anp | grep :123
udp 0 0 192.168.0.38:123 0.0.0.0:* 2901/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2901/ntpd
Also, i confirm that OpenNTPD listens where you ask him to listen more friendly (no need to edit multiple config files). By default it listens nowhere until you configure it to do so (very secure) ;)
In config file, just uncomment line
listen on 127.0.0.1
And add line
listen on <local_nic_ip>
Results in :
# netstat -anp | grep :123
udp 0 0 192.168.0.38:123 0.0.0.0:* 8581/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 8581/ntpd
If you consider this a bug (and I certainly do: ntpd is ignoring a configuration directive) you're going to have to take it up with the package maintainer or upstream authors. I don't believe any of them hang out here - refer to the package information for their contact details.
Alternatively you could try another NTP implementation (like OpenNTPD - I've not used it personally, but the OpenBSD folks tend to be absolutely paranoid about security, so I imagine it only listens where it's told to).
As Sander pointed out though, your NTP daemon is listening on localhost (127.0.0.1 & ::1) - If you're worried about being hacked from localhost you probably have bigger problems than your NTP daemon.
I'm a bit miffed that the daemon is ignoring a configuration directive, but I wouldn't consider this a serious security concern.