From owner-freebsd-questions@FreeBSD.ORG Thu Feb 20 22:46:58 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E845B17B; Thu, 20 Feb 2014 22:46:58 +0000 (UTC) Received: from moku60.aloha50.net (moku60.aloha50.net [66.180.132.237]) by mx1.freebsd.org (Postfix) with ESMTP id B400C1996; Thu, 20 Feb 2014 22:46:58 +0000 (UTC) Received: from mohawk7.intra.net (unknown [66.180.149.18]) by moku60.aloha50.net (Postfix) with ESMTP id 741F217029; Thu, 20 Feb 2014 12:46:57 -1000 (HST) Message-ID: <530685E0.601@hdk5.net> Date: Thu, 20 Feb 2014 12:46:56 -1000 From: Al Plant User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071128 FreeBSD/i386 SeaMonkey/1.1.7 MIME-Version: 1.0 To: Matthew Seaman Subject: Re: Semi-urgent: Disable NTP replies? References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org> In-Reply-To: <5303FCBE.3060106@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: noc@hdk5.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Feb 2014 22:46:59 -0000 Matthew Seaman wrote: > On 18/02/2014 22:53, Ronald F. Guilmette wrote: >> So, um, I've had to put in a new stopgap ipfw rule, just to stop these >> bloody &^%$#@ NTP reply packets from leaving my server, but what is >> that Right Way to solve this problem? I'm guessing that there's >> something I need to add to my /etc/ntp.conf file in order to tell >> my local ntpd to simply not accept incoming _query_ packets unlees >> they are coming from my own LAN, yes? But obviously, I still need it >> to accept incoming ntp _reply_ packets or else my machine will never >> know the correct time. >> >> Sorry. The answer I'm looking for is undoubtedly listed in an FAQ >> someplace, but I am very much on edge right at the moment... because >> I was basiaclly being DDoS'd by all of this stupid NTP traffic... and >> thus I'm seeking a quick answer. > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > and using it as an amplifier to do a DDoS against some victim. > > What you need to do is described here: > > http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc > > but in summary your actions should be one or more of: > > * upgrade to a version of ntpd that does not respond to 'monlist' > queries. Any -RELEASE or -STABLE version post the publication of > that advisory should do the trick, or you can use ntpd-devel from > ports. > > * Firewall off your ntpd instances from accessibility from the > internet. > > * Modify your /etc/ntp.conf to disallow most foreign connectivity to > your ntpd instances. > > The config changes required for that last are something along the > following lines, to be added to /etc/ntp.conf: > > restrict -4 default nomodify nopeer noquery notrap > restrict -6 default nomodify nopeer noquery notrap > restrict 127.0.0.1 > restrict -6 ::1 > restrict 127.127.1.0 > > If you can swing it, > > restrict -4 default ignore > restrict -6 default ignore > > would be even better, but you will also need to add lines permitting > appropriate traffic to and from timeservers on the network by the > servers' IP number. This does mean you can't use the ntp.org time > server pools without significant faffing around, as the ntp.org > timeservers are pooled ang you tend to get a different IP > > Cheers, > > Matthew > ################## Thanks to Matthew, Poly and all who posted the fixes for the NTP attack issue. I had one old mail server that seemed to attract the attack and the fix worked. I switched from the pool 1. 2. 3. ntp servers to a military one, and a local university of Hawaii one. I have used them for a while already on several of my desk tops as a check boot time.Both are clean. Again Thanks, ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + + http://aloha50.net - Supporting - FreeBSD 7.2 - 8.0 - 9* + < email: noc@hdk5.net > "All that's really worth doing is what we do for others."- Lewis Carrol