Translate

Thursday, 26 February 2015

NTP attacks

There are a lot of NTP reflection attacks currently being launched, it is therefore vital that you check if you version of NTP is vulnerable.

Run xnpdc as root:

# xntpdc
xntpdc> host <Your server name>
current host set to XXXX
xntpdc> monlist
***Server reports data not found

xntpdc> listpeers
client    ntp1.XXX
client    ntp0.XXX
broadcast 172.27.1.127

The monlist command should not return any results. You can also launch it directly from the command-line as follows:

# xntpdc -c monlist <IP_Address>

If you have any questions about the configuration of the "/etc/ntp.conf" file you can consult the sample files provided as standard by AIX in the "/usr/samples/xntp" directory:

/usr/samples/xntp/default.conf
/usr/samples/xntp/example.keys
/usr/samples/xntp/localclock.conf
/usr/samples/xntp/ntp.copyrights

If you are using AIX 7.1 you should already have NTPv4 installed, otherwise if you are running AIX 6.1 TL6 (or later) you can download the packages from the "AIX Web Download Pack Programs" site.

NTP4 Install images v7.1.0.3 for AIX 7.1
 ntp4-7.1.0.3.tar   (1.45 MB)
 
README-7.1.0.3
 README-7.1.0.3.txt   (317 B)
 
NTP4 Install images v6.1.6.3 for AIX 6.1
 ntp4-6.1.6.3.tar   (1.45 MB)
 
README-6.1.6.3
 README-6.1.6.3.txt   (317 B)

It is a good idea to install this version because even the standard version of NTPv4 on AIX 7.1 is affected by following vulnerabilities:

CVE-2014-9293: Weak default key
CVE-2014-9294: non-cryptographic random number generator with weak    seed used by ntp-keygen to generate symmetric keys
CVE-2014-9295: Buffer overflow
NTP4-6.1.6.3 for AIX 6.1 contains the fix for the above vulnerabilities.

To restrict the hosts that NTP will respond to edit the "/etc/ntp.conf" file:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
or
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

https://support.ntp.org/bin/view/Support/AccessRestrictions
http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.files/ntp.htm

You can also further harden your NTP daemon by installing keys:

# /usr/sbin/ntpkeygen4

To use the authentication key file /etc/ntp.new.keys when restart the xntpd daemon, as follows:

# /usr/sbin/xntpd -k /etc/ntp.new.keys

The keys are stored in "/etc/ntp.keys" and the daemon will ignore requests from anyone who does not use this key.
If you are using NTPv3 the xntpd executable does not exist.

You can check or switch between NTP versions by manipulating the symbolic-links:

$ ls -ld /usr/sbin/ntp*
drwxr-xr-x    2 root     system          256 Dec 15 18:06 /usr/sbin/ntp3
lrwxrwxrwx    1 root     system           22 Dec 15 18:06 /usr/sbin/ntpdate -> /usr/sbin/ntp3/ntpdate
lrwxrwxrwx    1 root     system           19 Dec 15 18:06 /usr/sbin/ntpq -> /usr/sbin/ntp3/ntpq
lrwxrwxrwx    1 root     system           23 Dec 15 18:06 /usr/sbin/ntptrace -> /usr/sbin/ntp3/ntptrace



Posted by at No comments:

Wednesday, 18 February 2015

Cimserver


Cimserver


The cimserver service is installed as standard with AIX6.1 and the service is started from the “/etc/inittab”:

$ grep cim /etc/inittab

cimservices:2:once:/usr/bin/startsrc -s cimsys >/dev/null 2>&1

This service can be disabled if Director is not installed.

When first installed the cimserver is configured with a test certificate and this can be a problem for your corporate security policy. To view the test certificate:

 
$ cd /opt/freeware/cimom/pegasus/etc

$ openssl x509 -noout -in ./cert.pem -subject -dates -hash -fingerprint

subject= /C=UK/ST=Berkshire/L=Reading/O=The Open Group/OU=The OpenPegasus Project/CN=PEGASUS TEST CERTIFICATE-DO NOT USE

notBefore=Aug 27 09:09:25 2014 GMT

notAfter=Aug 24 09:09:25 2024 GMT

0e7a49a9

SHA1 Fingerprint=8C:95:90:02:73:E4:9A:06:26:77:16:F2:98:28:EA:77:B1:94:72:DB

 
To generate and install a new certificate follow these instructions:

http://www-01.ibm.com/support/knowledgecenter/ssw_aix_53/com.ibm.aix.cim/doc/cim/cimsecure.htm%23cimsecure?lang=en

 
The cimserver  listens by default on port 6988 however this can be changed in the following file:

 
$ cat /opt/freeware/cimom/pegasus/etc/cimlistener.conf

listenerPort="6988"

consumerDir="/usr/lib"

consumerConfigDir="../data/indication"

traceFilePath="/opt/freeware/cimom/pegasus/logs/cimlistener.trc"

#traceComponents="LISTENER"

#traceLevel="4"


The cimserver configuration file is: /opt/freeware/cimom/pegasus/etc/cimserver_current.conf however this file should not edited directly. To make changes use the cimconfig command. The default behaviour is to use SSL for communications, however this can also be disabled if required.




Posted by at 2 comments:
Subscribe to: Posts (Atom)