Date: Thu, 20 Mar 2014 14:37:54 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <45647.1395351474@server1.tristatelogic.com> In-Reply-To: <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com>, Charles Swiger <cswiger@mac.com> wrote: >If you don't want to provide NTP service to the outside world, leave your existing >deny rule in place but add permit rules to allow UDP traffic to and from the >NTP servers which you want to sync time from. I just now tried doing that, but what I tried doesn't seem to be working at all as expected. My effort has however releaved more of my ignorance about ntpd and ntpdc. Starting from these lines in my /etc/ntp.conf file: server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst I resolved each of those three host names to _all_ of its associated IPv4 addresses. This yielded me the following list: 50.116.38.157 69.50.219.51 69.55.54.17 69.167.160.102 108.61.73.244 129.250.35.251 149.20.68.17 169.229.70.183 192.241.167.38 199.7.177.206 209.114.111.1 209.118.204.201 So I added the following new ipfw rules, just above the deny rule that I currently have protecting my UDP port 123: add pass udp from 50.116.38.157 123 to any in add pass udp from 69.50.219.51 123 to any in add pass udp from 69.55.54.17 123 to any in add pass udp from 69.167.160.102 123 to any in add pass udp from 108.61.73.244 123 to any in add pass udp from 129.250.35.251 123 to any in add pass udp from 149.20.68.17 123 to any in add pass udp from 169.229.70.183 123 to any in add pass udp from 192.241.167.38 123 to any in add pass udp from 199.7.177.206 123 to any in add pass udp from 209.114.111.1 123 to any in add pass udp from 209.118.204.201 123 to any in I then cd'd into /etc/rc.conf and executed the following (as root): ./ntpd stop ./ntpd start Then, after a short while, I ran ntpdc again and executed the "peers" query again. Now I get this: remote local st poll reach delay offset disp ======================================================================= =cheezum.mattnor 69.62.255.118 16 64 0 0.00000 0.000000 3.99217 *server2.shellva 69.62.255.118 2 64 377 0.09827 0.021492 0.05600 =li506-17.member 69.62.255.118 16 64 0 0.00000 0.000000 3.99217 Obviously, this is better than before... I am now syncing with at least one server (specifically 69.55.54.17 server2.shellvatore.us), *however* I have checked the reverse DNS names associated with all 12 of the above listed IPv4 addresses and none of those reverse DNS names begin with either "cheezum.mattnor..." or "li506-17.member...". So um, color me preplexed! It appears that ntpdc is telling me that my local ntpd daemon is attempting to query a couple of remote time servers that I never asked it to consult! What's up with that? Furthermore, and consistant with what ntpdc is telling me, only one of my new firewall rules is even succeeding at letting any useful NTP packets through, specifically ones being sent to me from server2.shellvatore.us: 01605 0 0 allow udp from 50.116.38.157 123 to any in 01610 0 0 allow udp from 69.50.219.51 123 to any in 01615 20 1520 allow udp from 69.55.54.17 123 to any in 01620 0 0 allow udp from 69.167.160.102 123 to any in 01625 0 0 allow udp from 108.61.73.244 123 to any in 01630 0 0 allow udp from 129.250.35.251 123 to any in 01635 0 0 allow udp from 149.20.68.17 123 to any in 01640 0 0 allow udp from 169.229.70.183 123 to any in 01645 0 0 allow udp from 192.241.167.38 123 to any in 01650 0 0 allow udp from 199.7.177.206 123 to any in 01655 0 0 allow udp from 209.114.111.1 123 to any in 01660 0 0 allow udp from 209.118.204.201 123 to any in So, um, what the bleep goes on here? Why is my ntpd only querying one of the 12 possible IPv4 addresses it should be querying? And why is it sending queries to two servers that, as far as I can tell, I never told it to send queries to, specifically: 67.18.187.111 cheezum.mattnordhoff.net 66.175.209.17 li506-17.members.linode.com Is there some secret extra .conf file for ntpd that I don't know about? For reference, my own complete & current /etc/ntp.conf file is attached below: cut here ============================================================================= # # $FreeBSD: release/9.1.0/etc/ntp.conf 239608 2012-08-23 04:57:56Z delphij $ # # Default NTP servers for the FreeBSD operating system. # # Don't forget to enable ntpd in /etc/rc.conf with: # ntpd_enable="YES" # # The driftfile is by default /var/db/ntpd.drift, check # /etc/defaults/rc.conf on how to change the location. # # # The following three servers will give you a random set of three # NTP servers geographically close to you. # See http://www.pool.ntp.org/ for details. Note, the pool encourages # users with a static IP and good upstream NTP servers to add a server # to the pool. See http://www.pool.ntp.org/join.html if you are interested. # # The option `iburst' is used for faster initial synchronisation. # server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst #server 3.freebsd.pool.ntp.org iburst # # If you want to pick yourself which country's public NTP server # you want sync against, comment out the above servers, uncomment # the next ones and replace CC with the country's abbreviation. # Make sure that the hostnames resolve to a proper IP address! # # server 0.CC.pool.ntp.org iburst # server 1.CC.pool.ntp.org iburst # server 2.CC.pool.ntp.org iburst # # Security: Only accept NTP traffic from the following hosts. # The following configuration example only accepts traffic from the # above defined servers. # # Please note that this example doesn't work for the servers in # the pool.ntp.org domain since they return multiple A records. # (This is the reason that by default they are commented out) # #restrict default ignore #restrict 0.pool.ntp.org nomodify nopeer noquery notrap #restrict 1.pool.ntp.org nomodify nopeer noquery notrap #restrict 2.pool.ntp.org nomodify nopeer noquery notrap #restrict 127.0.0.1 #restrict -6 ::1 #restrict 127.127.1.0 # # If a server loses sync with all upstream servers, NTP clients # no longer follow that server. The local clock can be configured # to provide a time source when this happens, but it should usually # be configured on just one server on a network. For more details see # http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock # The use of Orphan Mode may be preferable. # #server 127.127.1.0 #fudge 127.127.1.0 stratum 10
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45647.1395351474>