Re: NTP scan ????

[John Kristoff <jtk () depaul edu>]

On 27 Feb 2002 10:43:19 +1300
Russell Fulton <R.FULTON () auckland ac nz> wrote:

> Just picked up a SYN scan for NTP.  There were problems with xntp a
> while back, I wonder if there is now an exploit out there...

That seems unlikely since NTP runs on UDP.

While I'm here, someone may find these templates to secure NTP on *nix
systems and ciscos useful.

/etc/ntp.conf file to look as follows:

---8< cut here >8---
# default file location - /etc/ntp.conf
#
# Don't serve time/stats, don't allow others to talk to you
restrict default notrust nomodify noquery notrap nopeer ignore

# primary time server
server <host.domain> prefer

# add secondaries if necessary
# server <host.domain>

# If you have a well known netblock from which you'll get time
# put that block here, you could also specifiy individual hosts
restrict a.b.c..0 mask 255.255.255.0 nomodify noquery notrap nopeer

# Default time drift file
driftfile /etc/ntp.drift

# Log time changes/events in case analysis is needed later
logconfig =syncevents +peerevents +sysevents +allclock
---8< cut here >8---

in global config on ciscos:

! default deny everything
access-list 1 deny any
! permit only ntp server to talk ntp with cisco
! a.b.c.d is your ntp server or use a netblock if necessary
access-list 2 permit a.b.c.d
access-list 2 deny any
ntp access-group query-only 1
ntp access-group peer 2
ntp access-group serve 1
ntp access-group serve-only 1
ntp server a.b.c.d

John

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com