Date: Fri, 21 Mar 2014 17:14:31 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: brett@lariat.org Cc: freebsd-security@FreeBSD.org, rfg@tristatelogic.com Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <201403220014.s2M0EVRZ094760@gw.catspoiler.org> In-Reply-To: <201403202028.OAA01351@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 Mar, Brett Glass wrote: > IMHO, you should diddle /etc/ntp.conf as I mentioned in my earlier message > AND use stateful firewall rules (IPFW works fine for this) to ensure that > you only accept incoming NTP packets which are answers to your own queries. > And, as you state above, outbound queries should use randomized ephemeral > source ports as with DNS. This involves a patch to the ntpd that's shipped > with FreeBSD, because it is currently compiled to use source port 123. > (Back in the days of FreeBSD 5.x and 6.x, it used ephemeral source ports, > but not now.) So far as I know, ntpd on FreeBSD has never used ephemeral source ports for queries. Neither does ntpdate, unless it is run as non-root or with the -u option. If you use symmetric mode (with the peer keyword instead of server in ntp.conf) then the protocol requires port 123 on both ends. In addition to locking down the outside interface of my firewall box with ipfw, I also lock down the inside interface. I greatly restrict the UDP packets between the firewall and inside network. For NTP, I constrain it to only using port 123 on the firewall and port 123 on the inside hosts. I've been using that configuration since the 4.x days and both ntpd and ntpdate have functioned without issue. I can't query ntpd on the firewall from the inside network with ntpq, which uses a high numbered port. I actually have to log on to the firewall and run ntpq there.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403220014.s2M0EVRZ094760>