[ntp:security] Re: Nessus identifies NTP as a security issue

Steve Kostecke kostecke at ntp.isc.org
Mon Aug 28 14:02:43 UTC 2006


>"It is possible to determine a lot of information about the remote host
>by querying the NTP variables - these include OS descriptor, and time
>settings.
>
>It is possible to gather the following information from the remote NTP
>host :
>
>system='SunOS', leap=0, stratum=3, rootdelary=24.51,\r ...." etc.
>
>"Quickfix: Set NTP to restrict default access to ignore all info
>packets: restrict default ignore"

Please see http://ntp.isc.org/Support/AccessRestrictions

Then see my comments below about 'authenticate no'. It seems to me that
leaving your system clock open to manipulation by rogue time servers is
a larger risk than letting users on your LAN know what OS is in use.

>I implemented the following /etc/inet/ntp.conf file on a test server
>and the security team still claims that it is vulnerable.

Are you sure that ntpd is using your new ntp.conf? I suspect that it
isn't. The config file is usually /etc/ntp.conf or
/usr/local/etc/ntp.conf

># An example file that could be copied over to /etc/inet/ntp.conf; it
># provides a configuration for a host that passively waits for a server
># to provide NTP packets on the ntp multicast net.
>
>driftfile /var/ntp/ntp.drift
>restrict default ignore
>restrict 205.142.199.172 mask 255.255.255.0 nopeer noquery nomodify notrap
>restrict 127.0.0.1

You've omitted the restrict lines needed to allow NTP packets from the
multicast address and from the multicast server (neo-a.chmcc.org ?):

restrict 224.0.1.1 noquery nomodify notrap
restrict ip.address.of.neo-a.chmcc.org noquery nomodify notrap

>authenticate no

This is NOT a good idea at all. Without authentication your ntpd will
accept multicast packets from any source (ntpd can establish multicast
associations with multiple multicast servers at the same time). That
could allow a determined attacker to manipulate the client's clock.

That are two ways of authenticating an NTP server to
it's clients: symmetric keys and Autokey. Please see
http://ntp.isc.org/Support/ConfiguringAutokey for information about the
latter.

>server neo-a.chmcc.org
>multicastclient 224.0.1.1

You don't need the server line for a multicast client.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project http://ntp.isc.org/
Public Key at http://ntp.isc.org/Users/SteveKostecke


More information about the security mailing list