How to secure NTP on Linux

There has been a lot of press regarding the NTP amplification DDOS vulnerability, most Linux distributions have now updated their ntp.conf default config to make NTP more secure and block this attack. But in case you need to know how to do it yourself, it’s really quite straight forward:

 

Using your favourite text editor edit the ntp.conf file (usually found here /etc/ntp.conf) and make sure you have the following lines:

restrict default nomodify notrap nopeer noquery
restrict -6 default nomodify notrap nopeer noquery

The first line secures NTP for IPv4 the second line does the same for IPv6, even if you’re not IPv6 enabled it does no harm to put it in.

You will also need to ensure that you can talk to the NTP daemon on the server itself, so make sure you have the following lines as well:

restrict 127.0.0.1
restrict ::1

If you need to communicate with the NTP daemon from another server, you can add additional restrict entries, for example:

restrict 192.168.0.0 mask 255.255.255.0

will give the entire network 192.168.0.0/24 full access to your NTP daemon.

It always pays to setup a firewall on your servers, if you are setting up a server to provide time services to other systems, then you need to ensure that you open up UDP port 123 or the NTP daemon will not be accessible from other systems, even with the “restrict” entry above. A typical iptables entry would be as follows:

/sbin/iptables -A INPUT -i eth0 -s 0/0 -d 192.168.0.123 -p udp –dport 123 -j ACCEPT

You will need to adjust the command to suit your server, i.e. “-i eth0” should point to your servers network port where you expect the traffic to arrive, “-d A.B.C.D” should be your servers actual IP address. You can also change “-s 0/0” to allow only specific IP addresses access to your server, for example:

/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/24 -d 192.168.0.123 -p udp –dport 123 -j ACCEPT

will allow your local network 192.168.0.0/24 access but bock everything else.

 

Leave a Reply

Your email address will not be published. Required fields are marked *