OpenNTPProject.org

• Previous message (by thread): OpenNTPProject.org
• Next message (by thread): OpenNTPProject.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Better yet, why is your ntp server even reachable off net?

Providing a public clock service needs a lot more configuration effort 
than a simple, default one -- as just demonstrated.

(However, this is not to say that private servers should have management 
queries enabled.)

On 2/17/2014 9:03 AM, Kate Gerry wrote:
> Just add these to your ntp.conf configuration then restart the service: (Works with all default installations that I've found)
>
> restrict default kod nomodify notrap nopeer noquery
> restrict -6 default kod nomodify notrap nopeer noquery
>
> --
> Kate Gerry
> Network Manager
> kate at quadranet.com
>
> 1-888-5-QUADRA Ext 206 | www.QuadraNet.com
> Dedicated Servers, Colocation, Cloud Services and more.
> Datacenters in Los Angeles, Dallas and Miami.
>
> Follow us on:
>
>
> -----Original Message-----
> From: Brian Rak [mailto:brak at gameservers.com]
> Sent: Sunday, February 16, 2014 6:38 PM
> To: Pete Ashdown; NANOG list
> Subject: Re: OpenNTPProject.org
>
> Seriously, just fix your configuration.  The part of NTP being abused is completely unrelated to actually synchronizing time.  It's a management query, that has no real reason to be enabled remotely. You don't even need to resort to iptables for this, because NTPD has built in rate limiting (which isn't enabled for management queries, but those are trivial to disable).
>
> $ ntpdc -c monlist -n clock.xmission.com
> remote address          port local address      count m ver code avgint
> lstint
> ===============================================================================
> 173.209.207.233        42422 198.60.22.240       4727 3 3 0      0       0
> 24.155.184.100         45285 198.60.22.240         11 3 4 0      6       0
> 107.0.41.2             48625 198.60.22.240        264 3 4 0      5       0
> 67.108.239.31          40642 198.60.22.240      77084 3 3 0      0       0
> 177.65.149.237         62212 198.60.22.240       1085 3 1 0      0       0
> 209.64.161.162         44786 198.60.22.240         19 3 4 0      7       0
> 103.7.36.38            51618 198.60.22.240          4 3 3 0      8       0
> 173.209.207.218        50616 198.60.22.240       4731 3 3 0      0       0
> 69.61.203.25           20766 198.60.22.240      16379 3 4 0      1       0
> 68.188.251.223           478 198.60.22.240          2 1 3 0      0       0
> 75.82.183.104            123 198.60.22.240          1 3 4 0      0       0
> 63.64.124.129          52839 198.60.22.240     150867 3 4 0      0       0
> 65.201.33.150            151 198.60.22.240        393 3 2 0      3       0
> 124.228.119.105        24687 198.60.22.240         31 3 3 0      4       0
> 64.191.150.130           319 198.60.22.240    4494361 3 2 0      0       0
> 76.102.124.27            123 198.60.22.240          2 3 4 0      0       0
> 72.235.200.183           123 198.60.22.240          1 3 4 0      0       0
> 50.73.42.121           10398 198.60.22.240         11 3 3      0 14       0
> 63.64.124.144          26984 198.60.22.240    5823740 3 4 0      0       0
> 71.5.8.194             44699 198.60.22.240          3 3 4 0      0       0
> 143.112.64.2            1320 198.60.22.240        182 1 3 0      6       0
> 72.235.19.125            123 198.60.22.240          1 3 4 0      0       0
> 198.237.66.2           10471 198.60.22.240        499 3 3 0      3       0
> 12.108.21.226            357 198.60.22.240         10 1 3      0 14       0
> 174.47.116.250           463 198.60.22.240         24 3 4 0      5       0
> 72.1.71.73               738 198.60.22.240         19 3 3 0      8       0
> 67.136.57.10            1026 198.60.22.240        243 3 3 0      5       0
> 64.199.163.5             306 198.60.22.240        231 3 4 0      4       0
> 70.77.76.153           32188 198.60.22.240          1 3 4 0      0       0
>
> There is no excuse to still be running a NTP server with monlist enabled.  Fix your configuration, and you don't need IPTables rules.
>
>
>
> On 2/16/2014 1:29 PM, Pete Ashdown wrote:
>> Just in case you run a legitimate open NTP server, this iptable stanza
>> helps immensely:
>>
>> ## rate limit ntp
>> $IPTABLES -N NTP
>> $IPTABLES -N BLACKHOLE
>> $IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
>> $IPTABLES -A BLACKHOLE -j DROP
>> $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name
>> ntpv4 --rsource -j BLACKHOLE
>> $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name
>> ntpv4blackhole --rsource -j DROP
>> $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
>> $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
>>
>>
>> I've found that blocking TCP destination NTP to client servers/networks
>> blocks legitimate NTP synchronization for their clients.   Although I
>> wish they'd all just use my on-network NTP server, I can't assume they
>> will.  Does anyone have a list or source of pool and vendor
>> (Apple/Microsoft/etc) servers so I can permit based on source before
>> blocking based on destination port?
>>
>>
>
>

• Previous message (by thread): OpenNTPProject.org
• Next message (by thread): OpenNTPProject.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]