[tor-relays] ntp needs attention

Richard Johnson rdump at river.com
Mon Dec 22 19:58:51 UTC 2014 

On 2014-12-22 01:42, Felix wrote:
> Hi
>
> See: https bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576


There's as of yet no update from Apple applicable to those relays running on 
Mac OS X.

In the interim, I've reconfigured ntpd on the Macs to deny queries (steps 
below).  This may prevent their default-listening ntp.org/UDel ntpd from 
seeing and being affected by the potential single packet exploits.

In the medium term, I'll be switching to something like 'sudo port install 
openntpd' and trying to kill off the bundled UDel ntpd on Mac OS X in favor of 
the replacement. (That service replacment might succeed, but if so it will 
probably require defeating the ghost of Steve Jobs along the way...)

More info on the bugs:
http://bugs.ntp.org/show_bug.cgi?id=2668
http://www.kb.cert.org/vuls/id/852879
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
https://access.redhat.com/security/cve/CVE-2014-9295
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296


Richard

-------
1) Confirm ntpd listener on by default and responding to other hosts (such
as one running the nmap scanner):

$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA}
...
PORT    STATE SERVICE VERSION
123/udp open  ntp     NTP v4
| ntp-info:
|_  receive time stamp: Sat Dec 20 00:49:36 2014

2) Edit ntp config:

-------8<-------
--- /private/etc/ntp-restrict.conf.old
+++ /private/etc/ntp-restrict.conf
@@ -2,8 +2,8 @@
  # http://support.ntp.org/bin/view/Support/AccessRestrictions
  # Limit network machines to time queries only

-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
+restrict default kod nomodify notrap nopeer noquery ignore
+restrict -6 default kod nomodify notrap nopeer noquery ignore

  # localhost is unrestricted
  restrict 127.0.0.1
-------8<-------

3) Send a HUP to reload the config:

$ sudo killall -HUP ntpd

4) Confirm ntpd still running after HUP:

$ ps -axw | grep ntpd | grep -v grep
51928 ??    0:00.02 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf ...

5) Confirm ntpd listener now off [1] by default:

$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA}
...
PORT    STATE         SERVICE
123/udp open|filtered ntp

More information about the tor-relays mailing list