[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] ntp needs attention



On 2014-12-22 01:42, Felix wrote:
Hi

See: https bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576


There's as of yet no update from Apple applicable to those relays running on Mac OS X.

In the interim, I've reconfigured ntpd on the Macs to deny queries (steps below). This may prevent their default-listening ntp.org/UDel ntpd from seeing and being affected by the potential single packet exploits.

In the medium term, I'll be switching to something like 'sudo port install openntpd' and trying to kill off the bundled UDel ntpd on Mac OS X in favor of the replacement. (That service replacment might succeed, but if so it will probably require defeating the ghost of Steve Jobs along the way...)

More info on the bugs:
http://bugs.ntp.org/show_bug.cgi?id=2668
http://www.kb.cert.org/vuls/id/852879
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
https://access.redhat.com/security/cve/CVE-2014-9295
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296


Richard

-------
1) Confirm ntpd listener on by default and responding to other hosts (such
as one running the nmap scanner):

$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA}
...
PORT    STATE SERVICE VERSION
123/udp open  ntp     NTP v4
| ntp-info:
|_  receive time stamp: Sat Dec 20 00:49:36 2014

2) Edit ntp config:

-------8<-------
--- /private/etc/ntp-restrict.conf.old
+++ /private/etc/ntp-restrict.conf
@@ -2,8 +2,8 @@
 # http://support.ntp.org/bin/view/Support/AccessRestrictions
 # Limit network machines to time queries only

-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
+restrict default kod nomodify notrap nopeer noquery ignore
+restrict -6 default kod nomodify notrap nopeer noquery ignore

 # localhost is unrestricted
 restrict 127.0.0.1
-------8<-------

3) Send a HUP to reload the config:

$ sudo killall -HUP ntpd

4) Confirm ntpd still running after HUP:

$ ps -axw | grep ntpd | grep -v grep
51928 ??    0:00.02 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf ...

5) Confirm ntpd listener now off [1] by default:

$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA}
...
PORT    STATE         SERVICE
123/udp open|filtered ntp


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays