Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NTP

Command to scan device to view NTP connection responeses.

ntpdc -c monlist <IP address>

Example of command and output

Command:

ntpdc -c monlist 146.6.177.21

Ouput:

remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
ns1.utexas.edu           123 146.6.177.21       43244 4 4      0   1065       6
ns2.utexas.edu           123 146.6.177.21       43230 4 4      0   1065      62
security-scanner05.inf 61021 146.6.177.21           1 3 4      0    107     107
58.215.177.51          40205 146.6.177.21           1 3 4      0 1855107 1855107
matlock.infosec.utexas 57096 146.6.177.21           4 3 3      0 921718 1912102
cpe-173-174-33-58.aust 34854 146.6.177.21           4 3 4      0 481147 1924159
security-scanner142.in 43852 146.6.177.21           1 3 4      0 2212475 2212475
security-scanner113.in 56052 146.6.177.21           2 3 4      0 1444282 2887937
feederfish.infosec.ute 51834 146.6.177.21           7 3 4      0 696372 3045750

 

Note:  According to the ISO, the only remote addresses that connect to a device should be ns1.utexas.edu and ns2.utexas.edu

For "standard" Linux distributions, devices should be configured as such below to restrict remote NTP address connections

edit /etc/inet/ntp.client -> ntp.conf

Added:

#added for DDoS prevention - don't allow any machine, except those w/o flags
restrict default notrust nomodify noquery
restrict 127.0.0.1
restrict 146.6.177.21
restrict 128.83.185.40
restrict 128.83.185.41
restrict 146.6.177.23
restrict 146.6.177.22
restrict 146.6.177.15
restrict 146.6.177.16
restrict 172.16.54.150
restrict 128.83.59.200

Note:  The IP addresses listed in the configuration file example are the devices allowed to access NTP service.  Additional examples could be needed.

Access Control Lists (ACLs)

A request to ITS-Networking can also be sent to create an ACL rule at the router level to restrict NTP to a specific device

Example:

Device IP:  129.116.109.34
Device MAC:  5cf3.fc27.9ba4
Device VLAN: 350

ACL Example:

no ip access-list extended UTL_block_telepresence_ntp
ip access-list extended UTL_block_telepresence_ntp
remark deny all NTP except for UT NTP servers
permit udp host 128.83.185.40 host 129.116.109.34 eq ntp
permit udp host 128.83.185.41 host 129.116.109.34 eq ntp
deny   udp any                host 129.116.109.34 eq ntp
remark allow everything else
permit ip any any

...

SSL v3 (for POODLE)

UDP Amplification Portmapper (RPCBind)