diff --git a/defaults/main.yml b/defaults/main.yml
index 20cb5a9a..d365dd6d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -138,6 +138,8 @@ security_allowed_ntp_subnets:
   - 10/8
   - 192.168/16
   - 172.16/12
+# Listen for NTP requests only on local interfaces.
+security_ntp_bind_local_interfaces_only: yes
 
 ## Core dumps
 # V-38675 requires disabling core dumps for all users unless absolutely
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index d319fd9d..85d71f32 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -228,9 +228,14 @@ openstack-ansible-security role.
 
 The default settings will work for most environments, but some deployers may
 prefer to use NTP servers which are geographically closer to their servers.
-Also, the default configuration allows `RFC1918`_ addresses to reach the NTP
-server running on each host. That could be reduced to ``127.0.0.1/32`` for
-greater security.
+
+The role configures the chrony daemon to listen only on localhost. To allow
+chrony to listen on all addresses (the upstream default for chrony),
+set the ``security_ntp_bind_local_interfaces_only`` variable to ``False``.
+
+The default configuration allows `RFC1918`_ addresses to reach the NTP server
+running on each host. That could be changed by using the
+``security_allowed_ntp_subnets`` parameter.
 
 .. _RFC1918: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
 
diff --git a/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml
new file mode 100644
index 00000000..464d5f76
--- /dev/null
+++ b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - A new configuration parameter ``security_ntp_bind_local_interfaces`` was
+    added to the security role to restrict the network interface to which
+    chronyd will listen for NTP requests.
\ No newline at end of file
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
index deebf032..0b142538 100644
--- a/templates/chrony.conf.j2
+++ b/templates/chrony.conf.j2
@@ -93,3 +93,11 @@ logchange 0.5
 # chrony postinst based on what it found in /etc/default/rcS.  You may
 # change it if necessary.
 rtconutc
+
+{% if security_ntp_bind_local_interfaces_only | bool %}
+# Listen for NTP requests only on local interfaces.
+bindaddress 127.0.0.1
+{% if not security_disable_ipv6 | bool %}
+bindaddress ::1
+{% endif %}
+{% endif %}