[169146] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
RE: OpenNTPProject.org

daemon@ATHENA.MIT.EDU (Kate Gerry)
Sun Feb 16 22:05:44 2014

From: Kate Gerry <kate@quadranet.com>
To: Brian Rak <brak@gameservers.com>, Pete Ashdown <pashdown@xmission.com>,
 NANOG list <nanog@nanog.org>
Date: Sun, 16 Feb 2014 19:03:59 -0800
In-Reply-To: <5301760E.20009@gameservers.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

Just add these to your ntp.conf configuration then restart the service: (Wo=
rks with all default installations that I've found)

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

--
Kate Gerry
Network Manager
kate@quadranet.com

1-888-5-QUADRA Ext 206=A0|=A0www.QuadraNet.com
Dedicated Servers, Colocation, Cloud Services and more.
Datacenters in Los Angeles, Dallas and Miami.

Follow us on: =A0


-----Original Message-----
From: Brian Rak [mailto:brak@gameservers.com]=20
Sent: Sunday, February 16, 2014 6:38 PM
To: Pete Ashdown; NANOG list
Subject: Re: OpenNTPProject.org

Seriously, just fix your configuration.  The part of NTP being abused is co=
mpletely unrelated to actually synchronizing time.  It's a management query=
, that has no real reason to be enabled remotely. You don't even need to re=
sort to iptables for this, because NTPD has built in rate limiting (which i=
sn't enabled for management queries, but those are trivial to disable).

$ ntpdc -c monlist -n clock.xmission.com
remote address          port local address      count m ver code avgint =20
lstint
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
173.209.207.233        42422 198.60.22.240       4727 3 3 0      0       0
24.155.184.100         45285 198.60.22.240         11 3 4 0      6       0
107.0.41.2             48625 198.60.22.240        264 3 4 0      5       0
67.108.239.31          40642 198.60.22.240      77084 3 3 0      0       0
177.65.149.237         62212 198.60.22.240       1085 3 1 0      0       0
209.64.161.162         44786 198.60.22.240         19 3 4 0      7       0
103.7.36.38            51618 198.60.22.240          4 3 3 0      8       0
173.209.207.218        50616 198.60.22.240       4731 3 3 0      0       0
69.61.203.25           20766 198.60.22.240      16379 3 4 0      1       0
68.188.251.223           478 198.60.22.240          2 1 3 0      0       0
75.82.183.104            123 198.60.22.240          1 3 4 0      0       0
63.64.124.129          52839 198.60.22.240     150867 3 4 0      0       0
65.201.33.150            151 198.60.22.240        393 3 2 0      3       0
124.228.119.105        24687 198.60.22.240         31 3 3 0      4       0
64.191.150.130           319 198.60.22.240    4494361 3 2 0      0       0
76.102.124.27            123 198.60.22.240          2 3 4 0      0       0
72.235.200.183           123 198.60.22.240          1 3 4 0      0       0
50.73.42.121           10398 198.60.22.240         11 3 3      0 14       0
63.64.124.144          26984 198.60.22.240    5823740 3 4 0      0       0
71.5.8.194             44699 198.60.22.240          3 3 4 0      0       0
143.112.64.2            1320 198.60.22.240        182 1 3 0      6       0
72.235.19.125            123 198.60.22.240          1 3 4 0      0       0
198.237.66.2           10471 198.60.22.240        499 3 3 0      3       0
12.108.21.226            357 198.60.22.240         10 1 3      0 14       0
174.47.116.250           463 198.60.22.240         24 3 4 0      5       0
72.1.71.73               738 198.60.22.240         19 3 3 0      8       0
67.136.57.10            1026 198.60.22.240        243 3 3 0      5       0
64.199.163.5             306 198.60.22.240        231 3 4 0      4       0
70.77.76.153           32188 198.60.22.240          1 3 4 0      0       0

There is no excuse to still be running a NTP server with monlist enabled.  =
Fix your configuration, and you don't need IPTables rules.



On 2/16/2014 1:29 PM, Pete Ashdown wrote:
> Just in case you run a legitimate open NTP server, this iptable stanza
> helps immensely:
>
> ## rate limit ntp
> $IPTABLES -N NTP
> $IPTABLES -N BLACKHOLE
> $IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
> $IPTABLES -A BLACKHOLE -j DROP
> $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name
> ntpv4 --rsource -j BLACKHOLE
> $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name
> ntpv4blackhole --rsource -j DROP
> $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
> $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
>
>
> I've found that blocking TCP destination NTP to client servers/networks
> blocks legitimate NTP synchronization for their clients.   Although I
> wish they'd all just use my on-network NTP server, I can't assume they
> will.  Does anyone have a list or source of pool and vendor
> (Apple/Microsoft/etc) servers so I can permit based on source before
> blocking based on destination port?
>
>

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[169146] in North American Network Operators' Group

RE: OpenNTPProject.org

daemon@ATHENA.MIT.EDU (Kate Gerry)Sun Feb 16 22:05:44 2014

daemon@ATHENA.MIT.EDU (Kate Gerry)
Sun Feb 16 22:05:44 2014
