NTP insecure defaults

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

NTP insecure defaults

Mart van de Wege
My hosting provider recently pointed my attention to the fact that my
Jessie installation was running NTP and listening and responding to the
outside world, which is considered a security risk due to the
possibility of amplification attack DDoSes.

Turns out the Debian default is indeed to provide time service if you
install NTP. Shouldn't that be limited to localhost only, so that an
admin must deliberately open up the service if they want to provide NTP
service to the outside world?

I thought of opening a bug, but I'd like a second opinion
first. Thoughts anyone?

Mart

--
"We will need a longer wall when the revolution comes."
    --- AJS, quoting an uncertain source.

Reply | Threaded
Open this post in threaded view
|

Re: NTP insecure defaults

Michael Luecke-8
On 01/07/2017 09:33 AM, Mart van de Wege wrote:
> Turns out the Debian default is indeed to provide time service if you
> install NTP. Shouldn't that be limited to localhost only, so that an
> admin must deliberately open up the service if they want to provide NTP
> service to the outside world?

Did you install any package that suggested or depended on the ntp
package? Because on my system, the ntp package is not installed. ntp is
handled by systemd-timesyncd. So the current Debian installer does not
install the ntp by default in my opinion.

I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked
into the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by default.

> I thought of opening a bug, but I'd like a second opinion
> first. Thoughts anyone?

I think you should give us a little more details before filing a bug
report (what did you install, which files did you change, ...).

-- Michael

Reply | Threaded
Open this post in threaded view
|

Re: NTP insecure defaults

Eero Volotinen-2
Hi,

Default ntpd does listens allways all interfaces. You need to install openntpd or limit access to ntp port with iptables.

--
Eero

2017-01-07 11:40 GMT+02:00 Michael Luecke <[hidden email]>:
On 01/07/2017 09:33 AM, Mart van de Wege wrote:
Turns out the Debian default is indeed to provide time service if you
install NTP. Shouldn't that be limited to localhost only, so that an
admin must deliberately open up the service if they want to provide NTP
service to the outside world?

Did you install any package that suggested or depended on the ntp package? Because on my system, the ntp package is not installed. ntp is handled by systemd-timesyncd. So the current Debian installer does not install the ntp by default in my opinion.

I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked into the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by default.

I thought of opening a bug, but I'd like a second opinion
first. Thoughts anyone?

I think you should give us a little more details before filing a bug report (what did you install, which files did you change, ...).

-- Michael


Reply | Threaded
Open this post in threaded view
|

Re: NTP insecure defaults

Henrique de Moraes Holschuh
On Sat, 07 Jan 2017, Eero Volotinen wrote:
> Default ntpd does listens allways all interfaces. You need to install

You can restrict the standard ntp daemon services, and it won't *reply*.
You can also restrict its bind addresses, so it won't listen to every
interface it detects.

Usually, high-gain amplification attacks are the only thing we need to
restrict by default, and those are restricted to localhost by default in
Debian (I don't know since when, but Debian Jessie's defaults are
correct).

> openntpd or limit access to ntp port with iptables.

If you're limiting access to the ntp port, it doesn't matter if you use
secure but incomplete opentpd, or horrid-security-track-record, but
fully-fledged ntpd.

For client-only, openntpd is likely a better choice, yes.  Better yet,
use "chrony", which is optimized for desktop/laptops (which get
disconnected/powered off/suspended often).

ntp - time servers, high-precision time clients.
opentpd - always-on medium-precision time clients.
chrony - everything else.

> > On 01/07/2017 09:33 AM, Mart van de Wege wrote:
> >> Turns out the Debian default is indeed to provide time service if you
> >> install NTP. Shouldn't that be limited to localhost only, so that an

We already limit the large-amplification attacks to localhost.  Regular
ntp service works out-of-the-box, that means allowing client-server
clock queries.  But regular ntp service has a low amplification factor,
so it is usually not considered a problem at the network level.

--
  Henrique Holschuh

Reply | Threaded
Open this post in threaded view
|

Re: NTP insecure defaults

celejar
On Sat, 7 Jan 2017 09:30:55 -0200
Henrique de Moraes Holschuh <[hidden email]> wrote:

...

> For client-only, openntpd is likely a better choice, yes.  Better yet,
> use "chrony", which is optimized for desktop/laptops (which get
> disconnected/powered off/suspended often).
>
> ntp - time servers, high-precision time clients.
> opentpd - always-on medium-precision time clients.
> chrony - everything else.

Huh - I had given up on chrony about 8 years ago, due to the breakage
caused by bug #463518, but it looks like that got fixed (after a couple
of years of being broken), so I'm going to give it another whirl.

Celejar

Reply | Threaded
Open this post in threaded view
|

Re: NTP insecure defaults

Mart van de Wege
In reply to this post by Michael Luecke-8
Michael Luecke <[hidden email]> writes:

> On 01/07/2017 09:33 AM, Mart van de Wege wrote:
>> Turns out the Debian default is indeed to provide time service if you
>> install NTP. Shouldn't that be limited to localhost only, so that an
>> admin must deliberately open up the service if they want to provide NTP
>> service to the outside world?
>
> Did you install any package that suggested or depended on the ntp
> package? Because on my system, the ntp package is not installed. ntp
> is handled by systemd-timesyncd. So the current Debian installer does
> not install the ntp by default in my opinion.
>
While I like systemd and its related projects, I have not yet switched
to systemd-timesyncd.

And I was not implying Debian installs ntp by default, merely that the
package comes with IMO insecure defaults.

> I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked
> into the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by
> default.
>
>> I thought of opening a bug, but I'd like a second opinion
>> first. Thoughts anyone?
>
> I think you should give us a little more details before filing a bug
> report (what did you install, which files did you change, ...).
>
See, that's why I asked for a second opinion.

I explicitly installed the ntp package, and mine came with this as
default:

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

I commented these out, and left the next stanza, which *is* a
restriction to localhost.

Mart

--
"We will need a longer wall when the revolution comes."
    --- AJS, quoting an uncertain source.

Reply | Threaded
Open this post in threaded view
|

Re: NTP insecure defaults

Mart van de Wege
In reply to this post by Henrique de Moraes Holschuh
Henrique de Moraes Holschuh <[hidden email]> writes:

>
> For client-only, openntpd is likely a better choice, yes.  Better yet,
> use "chrony", which is optimized for desktop/laptops (which get
> disconnected/powered off/suspended often).
>
> ntp - time servers, high-precision time clients.
> opentpd - always-on medium-precision time clients.
> chrony - everything else.
>
This is good to know. I fixed the open configuration myself, but next
time I know to install a different package if I want only to sync my
local time and not provide time service myself.

Mart

--
"We will need a longer wall when the revolution comes."
    --- AJS, quoting an uncertain source.

Reply | Threaded
Open this post in threaded view
|

Re: NTP insecure defaults

Teemu Likonen-2
In reply to this post by Mart van de Wege
Mart van de Wege [2017-01-09 08:37:48+01] wrote:

> While I like systemd and its related projects, I have not yet switched
> to systemd-timesyncd.

I switched to systemd-timesyncd yesterday and found it great. It just
works and is simpler than alternatives. Recipe:

  - Remove all other ntp server packages (ntp, chrony...).
  - As root, type "systemctl start systemd-timesyncd.service" to start
    the service in the current session.
  - As root, type "timedatectl set-ntp true" to make
    systemd-timesyncd.service start automatically in the future. That's
    actually very close to "systemctl enable --now
    systemd-timesyncd.service" which starts and enables the service.

Monitor your computer's time with "timedatectl" or "journalctl -f -u
systemd-timesyncd.service". Settings are in /etc/systemd/timesyncd.conf.

--
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///

signature.asc (463 bytes) Download Attachment