Re: NTP security

To: Piotr Tarnowski <piotr_tarnowski@wp.pl>, debian-security@lists.debian.org
Subject: Re: NTP security
From: Kevin van Haaren <kevin@vanhaaren.net>
Date: Mon, 12 Mar 2001 17:25:01 -0600
Message-id: <p05001900b6d306ff0e20@[192.168.128.101]>
In-reply-to: <[🔎] DH2MOD.A.KzH.8Tfq6@murphy>
References: <[🔎] DH2MOD.A.KzH.8Tfq6@murphy>

At 10:32 -0600 3/10/2001, Piotr Tarnowski wrote:

Hi,

I've installed NTP daemon on my firewall (with sync to
external machine) and
on all internal machines  (with sync to my firewall).

I found that this had opend port 123/udp on my firewall,
so now everybody
from the net can use my machine as a server.
I have nothing against this as long as this is secure. Is
it ?

If not can I limit allowed clients somehow ? (I noticed
that DENY
on ipchains to others than my reference external server
limits ntptrace usage).

Best regards,
Piotr Tarnowski


As detailed here:
http://www.eecis.udel.edu/~ntp/ntp_spool/html/accopt.htm

Some access control is supposed to be built into NTP, but I never gotit to work correctly (could be my fault, i dunno.)

As soon as I activiated it, nptd stopped updating from any timeserver. Here's what I had in my ntp.conf file:

# don't trust anyone else's clock, or allow config changes
# restrict default notrust nomodify

# trust timeservers for time, but don't allow config changes
# note masks don't have to be the same network mask that the
# specified ip uses.  using a mask of 255.255.255.255 applies
# a rule to that specific ip.  A shorter mask applies
# the rule to more computers.  When a packet arrives the rule
# with the most matching bits in the mask is used
# restrict time.server.1.ip mask 255.255.255.255
# restrict time.server.2.ip mask 255.255.255.255
# restrict time.server.3.ip mask 255.255.255.255

So instead I locked down access on the external interface to just thetime servers I use. In my firewall script I put:

TIME_SERVERS="time.server.1.ip time.server.2.ip time.server.3.iptime.server.4.ip"

for TIMESERVER in $TIME_SERVERS
do
        echo "Allowing client access to time server " $TIMESERVER "..."

        ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
         -s $IPADDR $UNPRIVPORTS \
         -d $TIMESERVER 123 -j ACCEPT

        ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
         -s $TIMESERVER 123 \
         -d $IPADDR $UNPRIVPORTS -j ACCEPT

        # these seem to allow a local time server running
        # on port 123 to sync with another time server on port
        # 123
        ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
         -s $IPADDR 123 \
         -d $TIMESERVER 123 -j ACCEPT

        ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \
         -s $TIMESERVER 123 \
         -d $IPADDR 123 -j ACCEPT

done

Not super secure as it does nothing against spoofing (guess that'sreally only possible with a digitally signed time server signature),but it sufficed for me.


Kevin

Reply to:

Follow-Ups:
- Re: NTP security
  - From: Jamie Heilman <jamie@audible.transient.net>

References:
- NTP security
  - From: Piotr Tarnowski <piotr_tarnowski@wp.pl>

Prev by Date: Re: 127.0.0.0/8 addresses from the network
Next by Date: Re: NTP security
Previous by thread: RE: NTP security
Next by thread: Re: NTP security
Index(es):
- Date
- Thread