VSI OpenVMS Forum

The official board to discuss OpenVMS-related topics
https://forum.vmssoftware.com/

NTP configuration hardening

https://forum.vmssoftware.com/viewtopic.php?f=9&t=8589

Page 1 of 1

NTP configuration hardening

Posted: Thu Mar 23, 2023 9:57 am
by njmorto
I'm using NTP in a "client" mode, just getting the clock updates from our NTP server and would like to harden my setup.

Right now NTP will respond to query requests and things of that nature, I'd like to configure the system to not respond to those requests at all.

I've been looking at the TCP/IP manual for NTP and thought maybe the access control settings would be appropriate, but was unsure of how to actually implement them.

I've also looked at using "SET SERVICE" as part of the TCPIP configuration and specifying "accept" addresses.

I'm hoping someone can steer me in the right direction.

Thanks in advance

Re: NTP configuration hardening

Posted: Thu Mar 23, 2023 11:05 am
by shael_richmond
The one thing I added in the tcpip$ntp.conf file was

restrict default nomodify nopeer noquery notrap

That eliminated vulnerabilities from our scanner.



Shael Richmond
International Paper

Re: NTP configuration hardening

Posted: Thu Mar 23, 2023 11:37 am
by sms

Code: Select all

> I'm using NTP in a "client" mode, [...]

   Same here, but I haven't thought about blocking access to the server
because there's a NAT router between my LAN and the outside world, and
NTP (123) is not one of the ports being forwarded by that router, so the
only access to the NTP server is from my LAN.  (Which hasn't worried
me.)

   If I _did_ have an exposed server, and I wanted no access to it, then
I'd look into disabling the server.  Do you need to have the server
enabled for the client to work?  I haven't though about it (or run the
experiment), so I know nothing.  For a service like, say, FTP, the
client and server are separate, but NTP seems to have one client+server
program, so this method might not apply.

   If I needed to run the server, then I'd look at "TCPIP SET SERVICE
NTP /ACCEPT = NETWORKS = my_lan_base:my_lan_subnet_mask".  (Or, if I
didn't trust my own systems, some small, nonexistent subnet.)

> [...] unsure of how to actually implement them.

   Just run the command(s)?  The effects are persistent.  I'd recommend
creating a short DCL script containing commands and comments, in case
you ever want to do it again.  You might also need to stop the service
to make the changes, and restart it again after.  For example
(untested):

$!    Change NTP service configuration.
$!
$! Stop the service.
$!
$ @ sys$manager:TCPIP$NTP_SHUTDOWN.COM
$!
$! Make the configuration changes.
$!
$ TCPIP
!
! Clear the networks accept list.
!
set service NTP /accept = nonetworks = *
!
! Add accepted networks.
!
set service NTP /accept = networks = 192.168.0.0:255.255.255.0

! [... and so on ...]

exit
$!
$! Restart the service.
$!
$ @ sys$manager:tcpip$ntp_startup.com

   What could go wrong?
   

> The one thing I added in the tcpip$ntp.conf file [...]

   That might be a better method.  "the tcpip$ntp.conf file" is:
SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTP.CONF
All times are UTC-04:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/