Re: NTP security
At 10:32 -0600 3/10/2001, Piotr Tarnowski wrote:
Hi,
I've installed NTP daemon on my firewall (with sync to
external machine) and
on all internal machines (with sync to my firewall).
I found that this had opend port 123/udp on my firewall,
so now everybody
from the net can use my machine as a server.
I have nothing against this as long as this is secure. Is
it ?
If not can I limit allowed clients somehow ? (I noticed
that DENY
on ipchains to others than my reference external server
limits ntptrace usage).
Best regards,
Piotr Tarnowski
As detailed here:
http://www.eecis.udel.edu/~ntp/ntp_spool/html/accopt.htm
Some access control is supposed to be built into NTP, but I never got
it to work correctly (could be my fault, i dunno.)
As soon as I activiated it, nptd stopped updating from any time
server. Here's what I had in my ntp.conf file:
# don't trust anyone else's clock, or allow config changes
# restrict default notrust nomodify
# trust timeservers for time, but don't allow config changes
# note masks don't have to be the same network mask that the
# specified ip uses. using a mask of 255.255.255.255 applies
# a rule to that specific ip. A shorter mask applies
# the rule to more computers. When a packet arrives the rule
# with the most matching bits in the mask is used
# restrict time.server.1.ip mask 255.255.255.255
# restrict time.server.2.ip mask 255.255.255.255
# restrict time.server.3.ip mask 255.255.255.255
So instead I locked down access on the external interface to just the
time servers I use. In my firewall script I put:
TIME_SERVERS="time.server.1.ip time.server.2.ip time.server.3.ip
time.server.4.ip"
for TIMESERVER in $TIME_SERVERS
do
echo "Allowing client access to time server " $TIMESERVER "..."
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $TIMESERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $TIMESERVER 123 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# these seem to allow a local time server running
# on port 123 to sync with another time server on port
# 123
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d $TIMESERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $TIMESERVER 123 \
-d $IPADDR 123 -j ACCEPT
done
Not super secure as it does nothing against spoofing (guess that's
really only possible with a digitally signed time server signature),
but it sufficed for me.
Kevin
Reply to: