ntp needs attention

List overview All Threads
Download

newer

older

DDoS attack targeted on my exit...

Hibernation and Guard flag

Felix

22 Dec 2014 22 Dec '14

8:42 a.m.

See: https bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576

Debian will be fixed by 'apt-get update' and 'apt-get upgrade'. dpkg.log tells if the fix is in place: https security-tracker.debian.org/tracker/CVE-2014-9293 ...

Cheers!

Show replies by date

usprey

22 Dec 22 Dec

9:05 a.m.

phk to the rescue!

See https://github.com/bsdphk/Ntimed for upcoming ntpd replacement.

On 22 December 2014 at 09:42, Felix zwiebel@quantentunnel.de wrote:

...

Hi

See: https bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576

Debian will be fixed by 'apt-get update' and 'apt-get upgrade'. dpkg.log tells if the fix is in place: https security-tracker.debian.org/tracker/CVE-2014-9293 ...

Cheers! _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Richard Johnson

7:58 p.m.

On 2014-12-22 01:42, Felix wrote:

...

Hi

See: https bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576

There's as of yet no update from Apple applicable to those relays running on Mac OS X.

In the interim, I've reconfigured ntpd on the Macs to deny queries (steps below). This may prevent their default-listening ntp.org/UDel ntpd from seeing and being affected by the potential single packet exploits.

In the medium term, I'll be switching to something like 'sudo port install openntpd' and trying to kill off the bundled UDel ntpd on Mac OS X in favor of the replacement. (That service replacment might succeed, but if so it will probably require defeating the ghost of Steve Jobs along the way...)

More info on the bugs: http://bugs.ntp.org/show_bug.cgi?id=2668 http://www.kb.cert.org/vuls/id/852879 https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01 https://access.redhat.com/security/cve/CVE-2014-9295 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296

Richard

------- 1) Confirm ntpd listener on by default and responding to other hosts (such as one running the nmap scanner):

$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA} ... PORT STATE SERVICE VERSION 123/udp open ntp NTP v4 | ntp-info: |_ receive time stamp: Sat Dec 20 00:49:36 2014

2) Edit ntp config:

-------8<------- --- /private/etc/ntp-restrict.conf.old +++ /private/etc/ntp-restrict.conf @@ -2,8 +2,8 @@ # http://support.ntp.org/bin/view/Support/AccessRestrictions # Limit network machines to time queries only

-restrict default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery +restrict default kod nomodify notrap nopeer noquery ignore +restrict -6 default kod nomodify notrap nopeer noquery ignore

# localhost is unrestricted restrict 127.0.0.1 -------8<-------

3) Send a HUP to reload the config:

$ sudo killall -HUP ntpd

4) Confirm ntpd still running after HUP:

$ ps -axw | grep ntpd | grep -v grep 51928 ?? 0:00.02 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf ...

5) Confirm ntpd listener now off [1] by default:

$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA} ... PORT STATE SERVICE 123/udp open|filtered ntp

3608

Age (days ago)

3608

Last active (days ago)

tor-relays@lists.torproject.org

2 comments

3 participants

tags (0)

participants (3)

Felix
Richard Johnson
usprey