Translate

Thursday 26 February 2015

NTP attacks

There are a lot of NTP reflection attacks currently being launched, it is therefore vital that you check if you version of NTP is vulnerable.

Run xnpdc as root:

# xntpdc
xntpdc> host <Your server name>
current host set to XXXX
xntpdc> monlist
***Server reports data not found

xntpdc> listpeers
client    ntp1.XXX
client    ntp0.XXX
broadcast 172.27.1.127

The monlist command should not return any results. You can also launch it directly from the command-line as follows:

# xntpdc -c monlist <IP_Address>

If you have any questions about the configuration of the "/etc/ntp.conf" file you can consult the sample files provided as standard by AIX in the "/usr/samples/xntp" directory:

/usr/samples/xntp/default.conf
/usr/samples/xntp/example.keys
/usr/samples/xntp/localclock.conf
/usr/samples/xntp/ntp.copyrights

If you are using AIX 7.1 you should already have NTPv4 installed, otherwise if you are running AIX 6.1 TL6 (or later) you can download the packages from the "AIX Web Download Pack Programs" site.

NTP4 Install images v7.1.0.3 for AIX 7.1
 ntp4-7.1.0.3.tar   (1.45 MB)
 
README-7.1.0.3
 README-7.1.0.3.txt   (317 B)
 
NTP4 Install images v6.1.6.3 for AIX 6.1
 ntp4-6.1.6.3.tar   (1.45 MB)
 
README-6.1.6.3
 README-6.1.6.3.txt   (317 B)

It is a good idea to install this version because even the standard version of NTPv4 on AIX 7.1 is affected by following vulnerabilities:

CVE-2014-9293: Weak default key
CVE-2014-9294: non-cryptographic random number generator with weak    seed used by ntp-keygen to generate symmetric keys
CVE-2014-9295: Buffer overflow
NTP4-6.1.6.3 for AIX 6.1 contains the fix for the above vulnerabilities.

To restrict the hosts that NTP will respond to edit the "/etc/ntp.conf" file:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
or
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

https://support.ntp.org/bin/view/Support/AccessRestrictions
http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.files/ntp.htm

You can also further harden your NTP daemon by installing keys:

# /usr/sbin/ntpkeygen4

To use the authentication key file /etc/ntp.new.keys when restart the xntpd daemon, as follows:

# /usr/sbin/xntpd -k /etc/ntp.new.keys

The keys are stored in "/etc/ntp.keys" and the daemon will ignore requests from anyone who does not use this key.
If you are using NTPv3 the xntpd executable does not exist.

You can check or switch between NTP versions by manipulating the symbolic-links:

$ ls -ld /usr/sbin/ntp*
drwxr-xr-x    2 root     system          256 Dec 15 18:06 /usr/sbin/ntp3
lrwxrwxrwx    1 root     system           22 Dec 15 18:06 /usr/sbin/ntpdate -> /usr/sbin/ntp3/ntpdate
lrwxrwxrwx    1 root     system           19 Dec 15 18:06 /usr/sbin/ntpq -> /usr/sbin/ntp3/ntpq
lrwxrwxrwx    1 root     system           23 Dec 15 18:06 /usr/sbin/ntptrace -> /usr/sbin/ntp3/ntptrace



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)