17 Mar
2014
17 Mar
'14
1:22 p.m.
Folks, if you're running NTPD (Network Time Protocol daemon) on your
AMPRNet hosts or routers, please be sure that the MONLIST command is
disabled. If it is not, your device can be used to attack other
systems on the Internet.
You can test whether your NTP is thus misconfigured with the command
/usr/sbin/ntpdc -n -c monlist
If MONLIST is enabled, you will see a response including any IP addresses
that have made use of your NTP services.
Recommended Action:
NTPD versions prior to 4.2.7 are vulnerable by default; the simplest
recommended course of action is to upgrade all versions of ntpd that are
publically accessible to 4.2.7 or greater. In cases where upgrading is
not possible, disabling the monitor functionality can be accomplished
via the instructions below.
Add the “noquery” directive to the “restrict default” line in
the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
The links below describe the activity in more detail as well as possible
solutions.
US CERT Notifiacation:
https://www.us-cert.gov/ncas/alerts/TA14-013A
CERT.ORG Message:
http://www.kb.cert.org/vuls/id/348126
Thank you
- Brian
17 Mar
17 Mar
1:38 p.m.
I would like to add a note regarding this. Many "vulnerable" versions of NTPD
ship with a config that does allow the MONLIST command, but ONLY from the local server
(localhost or 127.0.0.1), which is not problematic. The proper way to test if you are
vulnerable to abuse from external sources is to use:
ntpdc -c monlist <IP ADDRESS OF YOUR NTP SERVER>
Otherwise, Brian's suggestions are correct, either upgrading to a newer version, or
implementing the noquery config option will mitigate this risk.
Please also note that many routers, including devices from Cisco or Juniper also allow can
ship with the monlist command enabled, so it is good to check those devices as well.
Nigel
K7NVH
On Mar 17, 2014, at 10:22 AM, Brian Kantor <Brian(a)UCSD.Edu> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Folks, if you're running NTPD (Network Time Protocol daemon) on your
AMPRNet hosts or routers, please be sure that the MONLIST command is
disabled. If it is not, your device can be used to attack other
systems on the Internet.
You can test whether your NTP is thus misconfigured with the command
/usr/sbin/ntpdc -n -c monlist
If MONLIST is enabled, you will see a response including any IP addresses
that have made use of your NTP services.
Recommended Action:
NTPD versions prior to 4.2.7 are vulnerable by default; the simplest
recommended course of action is to upgrade all versions of ntpd that are
publically accessible to 4.2.7 or greater. In cases where upgrading is
not possible, disabling the monitor functionality can be accomplished
via the instructions below.
Add the “noquery” directive to the “restrict default” line in
the system’s ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
The links below describe the activity in more detail as well as possible
solutions.
US CERT Notifiacation:
https://www.us-cert.gov/ncas/alerts/TA14-013A
CERT.ORG Message:
http://www.kb.cert.org/vuls/id/348126
Thank you
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
4:15 p.m.
You can goto http://openntpproject.org and check to see if your net
has any open NTP servers.
It also has links to information on securing devices.
-Neil
On Mon, Mar 17, 2014 at 12:38 PM, Nigel Vander Houwen <nigel(a)k7nvh.com> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
I would like to add a note regarding this. Many "vulnerable" versions of NTPD
ship with a config that does allow the MONLIST command, but ONLY from the local server
(localhost or 127.0.0.1), which is not problematic. The proper way to test if you are
vulnerable to abuse from external sources is to use:
ntpdc -c monlist <IP ADDRESS OF YOUR NTP SERVER>
Otherwise, Brian's suggestions are correct, either upgrading to a newer version, or
implementing the noquery config option will mitigate this risk.
Please also note that many routers, including devices from Cisco or Juniper also allow
can ship with the monlist command enabled, so it is good to check those devices as well.
Nigel
K7NVH
On Mar 17, 2014, at 10:22 AM, Brian Kantor <Brian(a)UCSD.Edu> wrote:
--
Neil Johnson
http://erudicon.com
(Please trim inclusions from previous messages)
_______________________________________________
Folks, if you're running NTPD (Network Time Protocol daemon) on your
AMPRNet hosts or routers, please be sure that the MONLIST command is
disabled. If it is not, your device can be used to attack other
systems on the Internet.
You can test whether your NTP is thus misconfigured with the command
/usr/sbin/ntpdc -n -c monlist
If MONLIST is enabled, you will see a response including any IP addresses
that have made use of your NTP services.
Recommended Action:
NTPD versions prior to 4.2.7 are vulnerable by default; the simplest
recommended course of action is to upgrade all versions of ntpd that are
publically accessible to 4.2.7 or greater. In cases where upgrading is
not possible, disabling the monitor functionality can be accomplished
via the instructions below.
Add the "noquery" directive to the "restrict default" line in
the system's ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
The links below describe the activity in more detail as well as possible
solutions.
US CERT Notifiacation:
https://www.us-cert.gov/ncas/alerts/TA14-013A
CERT.ORG Message:
http://www.kb.cert.org/vuls/id/348126
Thank you
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3902
days inactive
3902
days old
2 comments
3 participants
participants (3)
-
Brian Kantor -
Neil Johnson -
Nigel Vander Houwen