Sometime last year, a security vulnerability was reported at a system that acts as NTP server. After investigation, I found that the system in question was not having noquery in its NTP configuration file /etc/ntp.conf and this resulted in the security vulnerability. This was probably found by doing a vulnerability scan of the system using Nessus or OpenVAS or something similar.
As a mitigation, I suggested to add noquery in the NTP configuration file and then restart NTP service, so that update to the NTP configuration file comes into effect.
What is this noquery and what is the necessity to have it?
In the NTP configuration file, noquery is a flag that could be used along with restrict command. When this flag is added to the restrict command, all NTP mode 6 and 7 packets are ignored from the specified source. In other words, ntpq and ntpdc queries are denied from the specified source.
In absence of noquery flag, that is, if ntpq and ntpdc queries are allowed, then NTP server status information (such as OS and ntpd version) could be identified by doing a scan of the system using Nessus. This open channel that could be used for revealing system information is reported as a security vulnerability.
So, whether to have noquery flag or not depends on the decision - do we want to allow others to see our server status information?
If answer is yes, then do not have noquery flag along with the restrict command.
If answer is no, then do have the noquery flag.
noquery flag does not affect time service of the NTP server.
Please be aware, the UDP nature of NTP makes NTP servers prone to be abused in case of reflection and amplification attacks.
No comments:
Post a Comment