Date: Thu, 20 Mar 2014 14:37:54 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <45647.1395351474@server1.tristatelogic.com> In-Reply-To: <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com>,
Charles Swiger <cswiger@mac.com> wrote:
>If you don't want to provide NTP service to the outside world, leave your existing
>deny rule in place but add permit rules to allow UDP traffic to and from the
>NTP servers which you want to sync time from.
I just now tried doing that, but what I tried doesn't seem to be working
at all as expected. My effort has however releaved more of my ignorance
about ntpd and ntpdc.
Starting from these lines in my /etc/ntp.conf file:
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
server 2.freebsd.pool.ntp.org iburst
I resolved each of those three host names to _all_ of its associated
IPv4 addresses. This yielded me the following list:
50.116.38.157
69.50.219.51
69.55.54.17
69.167.160.102
108.61.73.244
129.250.35.251
149.20.68.17
169.229.70.183
192.241.167.38
199.7.177.206
209.114.111.1
209.118.204.201
So I added the following new ipfw rules, just above the deny rule that I
currently have protecting my UDP port 123:
add pass udp from 50.116.38.157 123 to any in
add pass udp from 69.50.219.51 123 to any in
add pass udp from 69.55.54.17 123 to any in
add pass udp from 69.167.160.102 123 to any in
add pass udp from 108.61.73.244 123 to any in
add pass udp from 129.250.35.251 123 to any in
add pass udp from 149.20.68.17 123 to any in
add pass udp from 169.229.70.183 123 to any in
add pass udp from 192.241.167.38 123 to any in
add pass udp from 199.7.177.206 123 to any in
add pass udp from 209.114.111.1 123 to any in
add pass udp from 209.118.204.201 123 to any in
I then cd'd into /etc/rc.conf and executed the following (as root):
./ntpd stop
./ntpd start
Then, after a short while, I ran ntpdc again and executed the "peers" query
again. Now I get this:
remote local st poll reach delay offset disp
=======================================================================
=cheezum.mattnor 69.62.255.118 16 64 0 0.00000 0.000000 3.99217
*server2.shellva 69.62.255.118 2 64 377 0.09827 0.021492 0.05600
=li506-17.member 69.62.255.118 16 64 0 0.00000 0.000000 3.99217
Obviously, this is better than before... I am now syncing with at least one
server (specifically 69.55.54.17 server2.shellvatore.us), *however* I have
checked the reverse DNS names associated with all 12 of the above listed
IPv4 addresses and none of those reverse DNS names begin with either
"cheezum.mattnor..." or "li506-17.member...". So um, color me preplexed!
It appears that ntpdc is telling me that my local ntpd daemon is attempting
to query a couple of remote time servers that I never asked it to consult!
What's up with that?
Furthermore, and consistant with what ntpdc is telling me, only one of my
new firewall rules is even succeeding at letting any useful NTP packets
through, specifically ones being sent to me from server2.shellvatore.us:
01605 0 0 allow udp from 50.116.38.157 123 to any in
01610 0 0 allow udp from 69.50.219.51 123 to any in
01615 20 1520 allow udp from 69.55.54.17 123 to any in
01620 0 0 allow udp from 69.167.160.102 123 to any in
01625 0 0 allow udp from 108.61.73.244 123 to any in
01630 0 0 allow udp from 129.250.35.251 123 to any in
01635 0 0 allow udp from 149.20.68.17 123 to any in
01640 0 0 allow udp from 169.229.70.183 123 to any in
01645 0 0 allow udp from 192.241.167.38 123 to any in
01650 0 0 allow udp from 199.7.177.206 123 to any in
01655 0 0 allow udp from 209.114.111.1 123 to any in
01660 0 0 allow udp from 209.118.204.201 123 to any in
So, um, what the bleep goes on here? Why is my ntpd only querying one of
the 12 possible IPv4 addresses it should be querying? And why is it sending
queries to two servers that, as far as I can tell, I never told it to send
queries to, specifically:
67.18.187.111 cheezum.mattnordhoff.net
66.175.209.17 li506-17.members.linode.com
Is there some secret extra .conf file for ntpd that I don't know about?
For reference, my own complete & current /etc/ntp.conf file is attached below:
cut here
=============================================================================
#
# $FreeBSD: release/9.1.0/etc/ntp.conf 239608 2012-08-23 04:57:56Z delphij $
#
# Default NTP servers for the FreeBSD operating system.
#
# Don't forget to enable ntpd in /etc/rc.conf with:
# ntpd_enable="YES"
#
# The driftfile is by default /var/db/ntpd.drift, check
# /etc/defaults/rc.conf on how to change the location.
#
#
# The following three servers will give you a random set of three
# NTP servers geographically close to you.
# See http://www.pool.ntp.org/ for details. Note, the pool encourages
# users with a static IP and good upstream NTP servers to add a server
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
#
# The option `iburst' is used for faster initial synchronisation.
#
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
server 2.freebsd.pool.ntp.org iburst
#server 3.freebsd.pool.ntp.org iburst
#
# If you want to pick yourself which country's public NTP server
# you want sync against, comment out the above servers, uncomment
# the next ones and replace CC with the country's abbreviation.
# Make sure that the hostnames resolve to a proper IP address!
#
# server 0.CC.pool.ntp.org iburst
# server 1.CC.pool.ntp.org iburst
# server 2.CC.pool.ntp.org iburst
#
# Security: Only accept NTP traffic from the following hosts.
# The following configuration example only accepts traffic from the
# above defined servers.
#
# Please note that this example doesn't work for the servers in
# the pool.ntp.org domain since they return multiple A records.
# (This is the reason that by default they are commented out)
#
#restrict default ignore
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
#restrict 127.0.0.1
#restrict -6 ::1
#restrict 127.127.1.0
#
# If a server loses sync with all upstream servers, NTP clients
# no longer follow that server. The local clock can be configured
# to provide a time source when this happens, but it should usually
# be configured on just one server on a network. For more details see
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
# The use of Orphan Mode may be preferable.
#
#server 127.127.1.0
#fudge 127.127.1.0 stratum 10
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45647.1395351474>