Rarely am I using ntpd to serve ntp information. It is more useful for clock-correction than a strict ntp/sntp client. Thus I don’t want the service listening on a wildcard address, even when there is certainly a firewall in place. I prefer the service to not be listening at all, or listening only to the loopback interface. Here is how to configure that in ntpd and chrony.
ntpd
interface ignore wildcard
chrony
bindaddress 127.0.0.1
port 0
bindcmdaddress 127.0.0.1
cmdport 0