This site is brought to you by the Electrical and Computer Engineering department
Network Time Protocol (NTP)
NTP
Command to scan device to view NTP connection responeses.
ntpdc -c monlist <IP address>
Example of command and output
Command:
ntpdc -c monlist 146.6.177.21
Ouput:
remote address         port local address     count m ver rstr avgint lstint
===============================================================================
ns1.utexas.edu          123 146.6.177.21      43244 4 4     0  1065      6
ns2.utexas.edu          123 146.6.177.21      43230 4 4     0  1065     62
security-scanner05.inf 61021 146.6.177.21Â Â Â Â Â Â Â Â Â Â 1 3 4Â Â Â Â Â 0Â Â Â 107Â Â Â Â 107
58.215.177.51Â Â Â Â Â Â Â Â Â 40205 146.6.177.21Â Â Â Â Â Â Â Â Â Â 1 3 4Â Â Â Â Â 0 1855107 1855107
matlock.infosec.utexas 57096 146.6.177.21Â Â Â Â Â Â Â Â Â Â 4 3 3Â Â Â Â Â 0 921718 1912102
cpe-173-174-33-58.aust 34854 146.6.177.21Â Â Â Â Â Â Â Â Â Â 4 3 4Â Â Â Â Â 0 481147 1924159
security-scanner142.in 43852 146.6.177.21Â Â Â Â Â Â Â Â Â Â 1 3 4Â Â Â Â Â 0 2212475 2212475
security-scanner113.in 56052 146.6.177.21Â Â Â Â Â Â Â Â Â Â 2 3 4Â Â Â Â Â 0 1444282 2887937
feederfish.infosec.ute 51834 146.6.177.21Â Â Â Â Â Â Â Â Â Â 7 3 4Â Â Â Â Â 0 696372 3045750
Â
Note:Â According to the ISO, the only remote addresses that connect to a device should be ns1.utexas.edu and ns2.utexas.edu
For "standard" Linux distributions, devices should be configured as such below to restrict remote NTP address connections
edit /etc/inet/ntp.client -> ntp.conf
Added:
#added for DDoS prevention - don't allow any machine, except those w/o flags
restrict default notrust nomodify noquery
restrict 127.0.0.1
restrict 128.83.185.40
restrict 128.83.185.41
Note: The IP addresses listed in the configuration file example are the devices allowed to access NTP service. Additional examples could be needed.
Access Control Lists (ACLs)
A request to ITS-Networking can also be sent to create an ACL rule at the router level to restrict NTP to a specific device
Example:
Device IP:Â 129.116.109.34
Device MAC:Â 5cf3.fc27.9ba4
Device VLAN: 350
ACL Example:
no ip access-list extended UTL_block_telepresence_ntp
ip access-list extended UTL_block_telepresence_ntp
remark deny all NTP except for UT NTP servers
permit udp host 128.83.185.40 host 129.116.109.34 eq ntp
permit udp host 128.83.185.41 host 129.116.109.34 eq ntp
deny  udp any               host 129.116.109.34 eq ntp
remark allow everything else
permit ip any any
interface vlan 350
ip access-group UTL_block_telepresence_ntp out
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache.