NTP configuration hardening

All types of networks, network stacks, and protocols supported by OpenVMS.
Post Reply

Topic author
njmorto
Visitor
Posts: 1
Joined: Thu Mar 23, 2023 9:52 am
Reputation: 0
Status: Offline

NTP configuration hardening

Post by njmorto » Thu Mar 23, 2023 9:57 am

I'm using NTP in a "client" mode, just getting the clock updates from our NTP server and would like to harden my setup.

Right now NTP will respond to query requests and things of that nature, I'd like to configure the system to not respond to those requests at all.

I've been looking at the TCP/IP manual for NTP and thought maybe the access control settings would be appropriate, but was unsure of how to actually implement them.

I've also looked at using "SET SERVICE" as part of the TCPIP configuration and specifying "accept" addresses.

I'm hoping someone can steer me in the right direction.

Thanks in advance


shael_richmond
Member
Posts: 5
Joined: Fri Aug 06, 2021 4:22 pm
Reputation: 0
Status: Offline

Re: NTP configuration hardening

Post by shael_richmond » Thu Mar 23, 2023 11:05 am

The one thing I added in the tcpip$ntp.conf file was

restrict default nomodify nopeer noquery notrap

That eliminated vulnerabilities from our scanner.



Shael Richmond
International Paper


sms
Master
Posts: 317
Joined: Fri Aug 21, 2020 5:18 pm
Reputation: 0
Status: Offline

Re: NTP configuration hardening

Post by sms » Thu Mar 23, 2023 11:37 am

Code: Select all

> I'm using NTP in a "client" mode, [...]

   Same here, but I haven't thought about blocking access to the server
because there's a NAT router between my LAN and the outside world, and
NTP (123) is not one of the ports being forwarded by that router, so the
only access to the NTP server is from my LAN.  (Which hasn't worried
me.)

   If I _did_ have an exposed server, and I wanted no access to it, then
I'd look into disabling the server.  Do you need to have the server
enabled for the client to work?  I haven't though about it (or run the
experiment), so I know nothing.  For a service like, say, FTP, the
client and server are separate, but NTP seems to have one client+server
program, so this method might not apply.

   If I needed to run the server, then I'd look at "TCPIP SET SERVICE
NTP /ACCEPT = NETWORKS = my_lan_base:my_lan_subnet_mask".  (Or, if I
didn't trust my own systems, some small, nonexistent subnet.)

> [...] unsure of how to actually implement them.

   Just run the command(s)?  The effects are persistent.  I'd recommend
creating a short DCL script containing commands and comments, in case
you ever want to do it again.  You might also need to stop the service
to make the changes, and restart it again after.  For example
(untested):

$!    Change NTP service configuration.
$!
$! Stop the service.
$!
$ @ sys$manager:TCPIP$NTP_SHUTDOWN.COM
$!
$! Make the configuration changes.
$!
$ TCPIP
!
! Clear the networks accept list.
!
set service NTP /accept = nonetworks = *
!
! Add accepted networks.
!
set service NTP /accept = networks = 192.168.0.0:255.255.255.0

! [... and so on ...]

exit
$!
$! Restart the service.
$!
$ @ sys$manager:tcpip$ntp_startup.com

   What could go wrong?
   

> The one thing I added in the tcpip$ntp.conf file [...]

   That might be a better method.  "the tcpip$ntp.conf file" is:
SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.CONF

Post Reply