[time] security issues with open port 123/udp?

Paul-Andrew Joseph Miseiko esoteric
Tue Sep 28 16:27:37 UTC 2004

It is possible to query the NTP variables on NTP v4 installations provided
the restrict line is defined in such a way that permits remote hosts to
query said variables.

The advice given by the Nessus test was extremely poor which is to be
expected from that product.

What you want to do is restrict access to the variables.  A simple way to do
this is to use a restrict line of "restrict default noquery".  Another way
to do this is to define your firewall to deny any packet other then a valid
time request and/or response.

-----Original Message-----
From: timekeepers-bounces at fortytwo.ch
[mailto:timekeepers-bounces at fortytwo.ch] On Behalf Of Pablo Sanchez
Sent: September 28, 2004 10:15 AM
To: timekeepers at fortytwo.ch
Subject: [time] security issues with open port 123/udp?


I ran a pen Nessus test on my machine and it says the following:

::: report :::
It is possible to determine a lot of information about the remote host by
querying the NTP variables - these include OS descriptor and time settings.

<< a bunch of stuff about my machine including Linux version >>

Quickfix:  Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor:  Low

::: end of report :::

As soon as I set 'restrict default ignore', I can no longer sync to the NTP

I tried the following to no avail:

restrict default ignore
restrict pool.ntp.org

Any pointers would be welcomed.


timekeepers mailing list
timekeepers at fortytwo.ch

More information about the pool mailing list