[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] ntp needs attention
On 2014-12-22 01:42, Felix wrote:
Hi
See: https bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576
There's as of yet no update from Apple applicable to those relays running on
Mac OS X.
In the interim, I've reconfigured ntpd on the Macs to deny queries (steps
below). This may prevent their default-listening ntp.org/UDel ntpd from
seeing and being affected by the potential single packet exploits.
In the medium term, I'll be switching to something like 'sudo port install
openntpd' and trying to kill off the bundled UDel ntpd on Mac OS X in favor of
the replacement. (That service replacment might succeed, but if so it will
probably require defeating the ghost of Steve Jobs along the way...)
More info on the bugs:
http://bugs.ntp.org/show_bug.cgi?id=2668
http://www.kb.cert.org/vuls/id/852879
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
https://access.redhat.com/security/cve/CVE-2014-9295
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296
Richard
-------
1) Confirm ntpd listener on by default and responding to other hosts (such
as one running the nmap scanner):
$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA}
...
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
| ntp-info:
|_ receive time stamp: Sat Dec 20 00:49:36 2014
2) Edit ntp config:
-------8<-------
--- /private/etc/ntp-restrict.conf.old
+++ /private/etc/ntp-restrict.conf
@@ -2,8 +2,8 @@
# http://support.ntp.org/bin/view/Support/AccessRestrictions
# Limit network machines to time queries only
-restrict default kod nomodify notrap nopeer noquery
-restrict -6 default kod nomodify notrap nopeer noquery
+restrict default kod nomodify notrap nopeer noquery ignore
+restrict -6 default kod nomodify notrap nopeer noquery ignore
# localhost is unrestricted
restrict 127.0.0.1
-------8<-------
3) Send a HUP to reload the config:
$ sudo killall -HUP ntpd
4) Confirm ntpd still running after HUP:
$ ps -axw | grep ntpd | grep -v grep
51928 ?? 0:00.02 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf ...
5) Confirm ntpd listener now off [1] by default:
$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA}
...
PORT STATE SERVICE
123/udp open|filtered ntp
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays