Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NTP

Command to scan device to view NTP connection responeses.

ntpdc -c monlist <IP address>

Example of command and output

Command:

ntpdc -c monlist 146.6.177.21

Ouput:

remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
ns1.utexas.edu           123 146.6.177.21       43244 4 4      0   1065       6
ns2.utexas.edu           123 146.6.177.21       43230 4 4      0   1065      62
security-scanner05.inf 61021 146.6.177.21           1 3 4      0    107     107
58.215.177.51          40205 146.6.177.21           1 3 4      0 1855107 1855107
matlock.infosec.utexas 57096 146.6.177.21           4 3 3      0 921718 1912102
cpe-173-174-33-58.aust 34854 146.6.177.21           4 3 4      0 481147 1924159
security-scanner142.in 43852 146.6.177.21           1 3 4      0 2212475 2212475
security-scanner113.in 56052 146.6.177.21           2 3 4      0 1444282 2887937
feederfish.infosec.ute 51834 146.6.177.21           7 3 4      0 696372 3045750

 

Note:  According to the ISO, the only remote addresses that connect to a device should be ns1.utexas.edu and ns2.utexas.edu

For "standard" Linux distributions, devices should be configured as such below to restrict remote NTP address connections

edit /etc/inet/ntp.client -> ntp.conf

Added:

#added for DDoS prevention - don't allow any machine, except those w/o flags
restrict default notrust nomodify noquery
restrict 127.0.0.1
restrict 146.6.177.21
restrict 128.83.185.40
restrict 128.83.185.41
restrict 146.6.177.23
restrict 146.6.177.22
restrict 146.6.177.15
restrict 146.6.177.16
restrict 172.16.54.150
restrict 128.83.59.200

...

SSL v3 (for POODLE)

UDP Amplification Portmapper (RPCBind)