I would like to add a note regarding this. Many "vulnerable" versions of NTPD ship with a config that does allow the MONLIST command, but ONLY from the local server (localhost or 127.0.0.1), which is not problematic. The proper way to test if you are vulnerable to abuse from external sources is to use:
ntpdc -c monlist <IP ADDRESS OF YOUR NTP SERVER>
Otherwise, Brian's suggestions are correct, either upgrading to a newer version, or implementing the noquery config option will mitigate this risk.
Please also note that many routers, including devices from Cisco or Juniper also allow can ship with the monlist command enabled, so it is good to check those devices as well.
Nigel K7NVH
On Mar 17, 2014, at 10:22 AM, Brian Kantor Brian@UCSD.Edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ Folks, if you're running NTPD (Network Time Protocol daemon) on your AMPRNet hosts or routers, please be sure that the MONLIST command is disabled. If it is not, your device can be used to attack other systems on the Internet.
You can test whether your NTP is thus misconfigured with the command
/usr/sbin/ntpdc -n -c monlist
If MONLIST is enabled, you will see a response including any IP addresses that have made use of your NTP services.
Recommended Action:
NTPD versions prior to 4.2.7 are vulnerable by default; the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to 4.2.7 or greater. In cases where upgrading is not possible, disabling the monitor functionality can be accomplished via the instructions below.
Add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
The links below describe the activity in more detail as well as possible solutions.
US CERT Notifiacation: https://www.us-cert.gov/ncas/alerts/TA14-013A
CERT.ORG Message: http://www.kb.cert.org/vuls/id/348126
Thank you
- Brian
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net