[ntp:questions] Re: security of reverse port on the firewall

Steve Kostecke kostecke at ntp.isc.org
Mon Nov 8 14:07:43 UTC 2004


On 2004-11-07, Richard B. Gilbert <rgilbert88 at comcast.net> wrote:

> Don S wrote:
>
>>I can't seem to find any discussions on the security of opening a
>>reverse port of a firewall for NTP. I would have thought this was a
>>fairly important point of discussion or is it not? Can anyone point me
>>to info on this item?
>
> If you limit port 123 to UDP, I don't see that there is much, if
> any, hazard in opening it outbound. If you open it inbound (allowing
> queries) you should be certain that your NTP keys are set up properly.
> If you don't create and designate NTP "request" and "control" keys
> strangers might be able to alter the configuration of your NTP daemon.

Have you actually tried this?

ntpd requires authentication _by default_ for all "remote" modifications
performed with ntpdc; even from 127.0.0.1

If you don't configure your symmetric keys (and don't disable
authentication) it is not possible for anyone to modify your ntpd
configuration. Try it yourself if you want proof.

> You might want to search Symantec's web site for any references to port 
> 123; if anyone has written a virus or a worm that uses it, they should 
> certainly know about ti.
>
> If there are any known vulnerabilites someone should speak up.

If you want to use CERT as a point of reference try this:

http://www.google.com/search?q=site%3Acert.org+ntp

There are some steps that you can take to restrict access to your ntpd:

1. Use your firewall and/or ntpd restrictions to allow access only to
designated remote time servers and authorized clients

2. Use remote time servers which support NTP Authentication

3. Block port 123/UDP on your firewall and use a local radio clock (e.g.
GPS, WWVB, CHU) or a modem (ACTS) to synchronize your ntpd

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Support Project - http://ntp.isc.org/



More information about the questions mailing list