[ntp:questions] ntp mode 6 nessus scan vulnerability

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Wed Apr 5 13:30:09 UTC 2017

On 2017-04-05 03:56, sneha b wrote:
> I am using ntp4.2.8P9, and nessus scan is reporting ntp mode 6
> scanner vulnerability.
> Can some one please help me how to fix this.

Mode 6 queries are used by ntpq - allowing these is normal to 
support server management, monitoring, logging and alerts.

To disable ntpq queries add noquery to your default restrict 
statements in ntp.conf:

	restrict default ... noquery
	restrict -4 default ... noquery
	restrict -6 default ... noquery

or better, just ignore everything:

	restrict default ignore
	restrict -4 default ignore
	restrict -6 default ignore


You may also want to limit interaction with upstream servers:

	restrict source nomodify notrap [noquery] [nopeer]

but you can not use nopeer if you use any pool servers or *cast 
servers or clients, but in those cases it would be advisable to 
add the noquery, as you don't know who's on the other end.

I personally consider it would be rude to not allow known public 
sources providing me a service to query mine, so I would add 
restrict rules without noquery for each of those servers, and I 
would also not add nopeer, although both may be advisable for 
organizations, if not using the pool.

Limit your:
	restrict <subnet-address>
	restrict <subnet-address> noserve [monitoring only]

ntp.conf statements which remove all restrictions to the localhost 
and management subnets, and ensure that nessus is not being run 
from within your management or monitoring subnets, as you have to 
have some way to manage, monitor, log, and generate alerts about, 
NTP servers.

Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

More information about the questions mailing list