Better yet, why is your ntp server even reachable off net? Providing a public clock service needs a lot more configuration effort than a simple, default one -- as just demonstrated. (However, this is not to say that private servers should have management queries enabled.) On 2/17/2014 9:03 AM, Kate Gerry wrote:
Just add these to your ntp.conf configuration then restart the service: (Works with all default installations that I've found)
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
-- Kate Gerry Network Manager kate@quadranet.com
1-888-5-QUADRA Ext 206 | www.QuadraNet.com Dedicated Servers, Colocation, Cloud Services and more. Datacenters in Los Angeles, Dallas and Miami.
Follow us on:
-----Original Message----- From: Brian Rak [mailto:brak@gameservers.com] Sent: Sunday, February 16, 2014 6:38 PM To: Pete Ashdown; NANOG list Subject: Re: OpenNTPProject.org
Seriously, just fix your configuration. The part of NTP being abused is completely unrelated to actually synchronizing time. It's a management query, that has no real reason to be enabled remotely. You don't even need to resort to iptables for this, because NTPD has built in rate limiting (which isn't enabled for management queries, but those are trivial to disable).
$ ntpdc -c monlist -n clock.xmission.com remote address port local address count m ver code avgint lstint =============================================================================== 173.209.207.233 42422 198.60.22.240 4727 3 3 0 0 0 24.155.184.100 45285 198.60.22.240 11 3 4 0 6 0 107.0.41.2 48625 198.60.22.240 264 3 4 0 5 0 67.108.239.31 40642 198.60.22.240 77084 3 3 0 0 0 177.65.149.237 62212 198.60.22.240 1085 3 1 0 0 0 209.64.161.162 44786 198.60.22.240 19 3 4 0 7 0 103.7.36.38 51618 198.60.22.240 4 3 3 0 8 0 173.209.207.218 50616 198.60.22.240 4731 3 3 0 0 0 69.61.203.25 20766 198.60.22.240 16379 3 4 0 1 0 68.188.251.223 478 198.60.22.240 2 1 3 0 0 0 75.82.183.104 123 198.60.22.240 1 3 4 0 0 0 63.64.124.129 52839 198.60.22.240 150867 3 4 0 0 0 65.201.33.150 151 198.60.22.240 393 3 2 0 3 0 124.228.119.105 24687 198.60.22.240 31 3 3 0 4 0 64.191.150.130 319 198.60.22.240 4494361 3 2 0 0 0 76.102.124.27 123 198.60.22.240 2 3 4 0 0 0 72.235.200.183 123 198.60.22.240 1 3 4 0 0 0 50.73.42.121 10398 198.60.22.240 11 3 3 0 14 0 63.64.124.144 26984 198.60.22.240 5823740 3 4 0 0 0 71.5.8.194 44699 198.60.22.240 3 3 4 0 0 0 143.112.64.2 1320 198.60.22.240 182 1 3 0 6 0 72.235.19.125 123 198.60.22.240 1 3 4 0 0 0 198.237.66.2 10471 198.60.22.240 499 3 3 0 3 0 12.108.21.226 357 198.60.22.240 10 1 3 0 14 0 174.47.116.250 463 198.60.22.240 24 3 4 0 5 0 72.1.71.73 738 198.60.22.240 19 3 3 0 8 0 67.136.57.10 1026 198.60.22.240 243 3 3 0 5 0 64.199.163.5 306 198.60.22.240 231 3 4 0 4 0 70.77.76.153 32188 198.60.22.240 1 3 4 0 0 0
There is no excuse to still be running a NTP server with monlist enabled. Fix your configuration, and you don't need IPTables rules.
On 2/16/2014 1:29 PM, Pete Ashdown wrote:
Just in case you run a legitimate open NTP server, this iptable stanza helps immensely:
## rate limit ntp $IPTABLES -N NTP $IPTABLES -N BLACKHOLE $IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource $IPTABLES -A BLACKHOLE -j DROP $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name ntpv4 --rsource -j BLACKHOLE $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name ntpv4blackhole --rsource -j DROP $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
I've found that blocking TCP destination NTP to client servers/networks blocks legitimate NTP synchronization for their clients. Although I wish they'd all just use my on-network NTP server, I can't assume they will. Does anyone have a list or source of pool and vendor (Apple/Microsoft/etc) servers so I can permit based on source before blocking based on destination port?