Absicherung von NTP/en
Aus EUserv Wiki
| Languages: |
Deutsch |
Securing NTP
Inhaltsverzeichnis |
Securing NTP
General
When using open or insufficiently secured NTP (Network Time Protocol) servers abuse of these server could occur. One possible attacking scenario includes flooding of the server with traffic (amplificiation/reflection DDoS). In order to maintain the safety of servers and virtual servers (and of the whole EUserv network) we have gathered some steps that should be considered when running a NTP server or client.
Safety check
If you are running an open NTP server: the Open NTP project allows you to check if your server poses a potential target for attacks. Use the following link to run a check:
http://openntpproject.org/
Protection
Client
To configure a client which only sends NTP requests to a server (and not accepting any requests beside from localhost), use the following example configuration (the configuration usually is located at /etc/ntp.conf). Just replace the IPv4/IPv6 addresses and hostname with your desired servers:
restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap # Allow NTP messages only from localhost restrict 127.0.0.1 restrict ::1 # NTP servers which we want to use server 192.x.x.x server 2001:db0a::x server time.example.net
Note: Trustful NTP servers include the pool servers which are available for each time zone. The "global" servers for the European for instance are:
- 0.europe.pool.ntp.org
- 1.europe.pool.ntp.org
- 2.europe.pool.ntp.org
- 3.europe.pool.ntp.org
EUserv also runs an NTP server (stratum 1). You can use it by simply adding the line
ntp1.euserv.net
to your /etc/ntp.conf
For further protection of the client from remote servers, the following firewall rules (in this case: iptables) have to be applied:
-A INPUT -s 0/0 -d 0/0 -p udp --sport 123:123 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -s 0/0 -d 0/0 -p udp --dport 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT
Server
When configuring the server it should be additionally considered to state the restrictions and access policies for remote servers and net segments:
restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap # Allow NTP messages only from localhost restrict 127.0.0.1 restrict ::1 # NTP servers which we want to use server 192.x.x.x server 2001:db0a::x server time.example.net # Restrictions restrict time.example.net 255.255.255.255 nomodify notrap noquery restrict 2001:db0a::x mask 255.255.255.255 nomodify notrap noquery restrict 192.x.x.x mask 255.255.255.255 nomodify notrap noquery # Define the net segments which are allowed access restrict 172.16.0.0 mask 255.255.0.0 nomodify notrap restrict 192.168.100.0 mask 255.255.255.0 nomodify notrap
Authentication
Additional safety can be achieved by using keys. This is useful when:
- Time synchronization shall only be done with trusted sources
- An attacker sends faked time stamps
- An attacker disguises as another server
Configuration
Key-based authentication has to be set up on both sides. The following instructions apply to both server and client:
Uncomment the following line in /etc/ntp.conf. You may choose the location for your key file freely:
# keys /etc/ntp.keys
Now you will have to create the corresponding key file (here: /etc/ntp.keys) and enter your keys there. Since they are stored in plain text you will have to make sure they have the right access permissions:
chmod 0700 /etc/ntp.keys
There are two commonly used key types: A and M. An A key consists of 8 ASCII characters (DES encrypted), an M key of up to 31 ASCII chars (MD5 encrypted).
The key format in /etc/ntp.keys looks like the following:
1 A PasSword 2 M 123.Test? 13 A I_see! 398 M NTP_Key298
The first column contains the key number (1-65535), the second one the key type and the third one the password.
Client
On the client you will have to define for which NTP servers you would like to use authentication. Expand your server directives in /etc/ntp.conf with the keywords key [KEY NUMBER]. In our example this would look like the following:
server 192.x.x.x key 1 server 2001:db0a::x key 13 server time.example.net key 398
If you ONLY want to allow authenticated connections, add the following line in the configuration file:
enable auth
Server
Now you'll need to specify which keys are to be trusted on the server. This can be done with the following line in /etc/ntp.conf:
trustedkeys 1 2 13 398
Just add the numbers (from the first column, see above) of your trusted keys).
