On 27 Feb 2002 10:43:19 +1300 Russell Fulton <R.FULTONat_private> wrote: > Just picked up a SYN scan for NTP. There were problems with xntp a > while back, I wonder if there is now an exploit out there... That seems unlikely since NTP runs on UDP. While I'm here, someone may find these templates to secure NTP on *nix systems and ciscos useful. /etc/ntp.conf file to look as follows: ---8< cut here >8--- # default file location - /etc/ntp.conf # # Don't serve time/stats, don't allow others to talk to you restrict default notrust nomodify noquery notrap nopeer ignore # primary time server server <host.domain> prefer # add secondaries if necessary # server <host.domain> # If you have a well known netblock from which you'll get time # put that block here, you could also specifiy individual hosts restrict a.b.c..0 mask 255.255.255.0 nomodify noquery notrap nopeer # Default time drift file driftfile /etc/ntp.drift # Log time changes/events in case analysis is needed later logconfig =syncevents +peerevents +sysevents +allclock ---8< cut here >8--- in global config on ciscos: ! default deny everything access-list 1 deny any ! permit only ntp server to talk ntp with cisco ! a.b.c.d is your ntp server or use a netblock if necessary access-list 2 permit a.b.c.d access-list 2 deny any ntp access-group query-only 1 ntp access-group peer 2 ntp access-group serve 1 ntp access-group serve-only 1 ntp server a.b.c.d John ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 09:13:52 PST