[ntp:questions] ntp mode 6 nessus scan vulnerability

sneha b snehabadardinni at gmail.com
Thu Apr 6 14:58:06 UTC 2017


Thanks so much Brian will try this.

Thanks,
Sneha

On Wed, Apr 5, 2017 at 7:00 PM, Brian Inglis <
Brian.Inglis at systematicsw.ab.ca> wrote:

> On 2017-04-05 03:56, sneha b wrote:
> > I am using ntp4.2.8P9, and nessus scan is reporting ntp mode 6
> > scanner vulnerability.
> > Can some one please help me how to fix this.
>
> Mode 6 queries are used by ntpq - allowing these is normal to
> support server management, monitoring, logging and alerts.
>
> To disable ntpq queries add noquery to your default restrict
> statements in ntp.conf:
>
>         restrict default ... noquery
>         restrict -4 default ... noquery
>         restrict -6 default ... noquery
>
> or better, just ignore everything:
>
>         restrict default ignore
>         restrict -4 default ignore
>         restrict -6 default ignore
>
> See
>         http://support.ntp.org/bin/view/Support/AccessRestrictions
> and
>         https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict
>
> You may also want to limit interaction with upstream servers:
>
>         restrict source nomodify notrap [noquery] [nopeer]
>
> but you can not use nopeer if you use any pool servers or *cast
> servers or clients, but in those cases it would be advisable to
> add the noquery, as you don't know who's on the other end.
>
> I personally consider it would be rude to not allow known public
> sources providing me a service to query mine, so I would add
> restrict rules without noquery for each of those servers, and I
> would also not add nopeer, although both may be advisable for
> organizations, if not using the pool.
>
> Limit your:
>         restrict <subnet-address>
> or:
>         restrict <subnet-address> noserve [monitoring only]
>
> ntp.conf statements which remove all restrictions to the localhost
> and management subnets, and ensure that nessus is not being run
> from within your management or monitoring subnets, as you have to
> have some way to manage, monitor, log, and generate alerts about,
> NTP servers.
>
> --
> Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions
>


More information about the questions mailing list