Re: NTP insecure defaults

[Teemu Likonen]

Mart van de Wege [2017-01-09 08:37:48+01] wrote:

> While I like systemd and its related projects, I have not yet switched
> to systemd-timesyncd.

I switched to systemd-timesyncd yesterday and found it great. It just
works and is simpler than alternatives. Recipe:

  - Remove all other ntp server packages (ntp, chrony...).
  - As root, type "systemctl start systemd-timesyncd.service" to start
the service in the current session.
  - As root, type "timedatectl set-ntp true" to make
systemd-timesyncd.service start automatically in the future. That's
actually very close to "systemctl enable --now
systemd-timesyncd.service" which starts and enables the service.

Monitor your computer's time with "timedatectl" or "journalctl -f -u
systemd-timesyncd.service". Settings are in /etc/systemd/timesyncd.conf.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature

Re: NTP insecure defaults

[Mart van de Wege]

Henrique de Moraes Holschuh  writes:

>
> For client-only, openntpd is likely a better choice, yes.  Better yet,
> use "chrony", which is optimized for desktop/laptops (which get
> disconnected/powered off/suspended often).
>
> ntp - time servers, high-precision time clients.
> opentpd - always-on medium-precision time clients.
> chrony - everything else.
>
This is good to know. I fixed the open configuration myself, but next
time I know to install a different package if I want only to sync my
local time and not provide time service myself.

Mart

-- 
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.

Re: NTP insecure defaults

[Mart van de Wege]

Michael Luecke  writes:

> On 01/07/2017 09:33 AM, Mart van de Wege wrote:
>> Turns out the Debian default is indeed to provide time service if you
>> install NTP. Shouldn't that be limited to localhost only, so that an
>> admin must deliberately open up the service if they want to provide NTP
>> service to the outside world?
>
> Did you install any package that suggested or depended on the ntp
> package? Because on my system, the ntp package is not installed. ntp
> is handled by systemd-timesyncd. So the current Debian installer does
> not install the ntp by default in my opinion.
>
While I like systemd and its related projects, I have not yet switched
to systemd-timesyncd.

And I was not implying Debian installs ntp by default, merely that the
package comes with IMO insecure defaults.

> I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked
> into the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by
> default.
>
>> I thought of opening a bug, but I'd like a second opinion
>> first. Thoughts anyone?
>
> I think you should give us a little more details before filing a bug
> report (what did you install, which files did you change, ...).
>
See, that's why I asked for a second opinion.

I explicitly installed the ntp package, and mine came with this as
default:

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

I commented these out, and left the next stanza, which *is* a
restriction to localhost.

Mart

-- 
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.

Re: NTP insecure defaults

[Celejar]

On Sat, 7 Jan 2017 09:30:55 -0200
Henrique de Moraes Holschuh  wrote:

...

> For client-only, openntpd is likely a better choice, yes.  Better yet,
> use "chrony", which is optimized for desktop/laptops (which get
> disconnected/powered off/suspended often).
> 
> ntp - time servers, high-precision time clients.
> opentpd - always-on medium-precision time clients.
> chrony - everything else.

Huh - I had given up on chrony about 8 years ago, due to the breakage
caused by bug #463518, but it looks like that got fixed (after a couple
of years of being broken), so I'm going to give it another whirl.

Celejar

Re: NTP insecure defaults

[Henrique de Moraes Holschuh]

On Sat, 07 Jan 2017, Eero Volotinen wrote:
> Default ntpd does listens allways all interfaces. You need to install

You can restrict the standard ntp daemon services, and it won't *reply*.
You can also restrict its bind addresses, so it won't listen to every
interface it detects.

Usually, high-gain amplification attacks are the only thing we need to
restrict by default, and those are restricted to localhost by default in
Debian (I don't know since when, but Debian Jessie's defaults are
correct).

> openntpd or limit access to ntp port with iptables.

If you're limiting access to the ntp port, it doesn't matter if you use
secure but incomplete opentpd, or horrid-security-track-record, but
fully-fledged ntpd.

For client-only, openntpd is likely a better choice, yes.  Better yet,
use "chrony", which is optimized for desktop/laptops (which get
disconnected/powered off/suspended often).

ntp - time servers, high-precision time clients.
opentpd - always-on medium-precision time clients.
chrony - everything else.

> > On 01/07/2017 09:33 AM, Mart van de Wege wrote:
> >> Turns out the Debian default is indeed to provide time service if you
> >> install NTP. Shouldn't that be limited to localhost only, so that an

We already limit the large-amplification attacks to localhost.  Regular
ntp service works out-of-the-box, that means allowing client-server
clock queries.  But regular ntp service has a low amplification factor,
so it is usually not considered a problem at the network level.

-- 
  Henrique Holschuh

Re: NTP insecure defaults

[Eero Volotinen]

Hi,

Default ntpd does listens allways all interfaces. You need to install
openntpd or limit access to ntp port with iptables.

--
Eero

2017-01-07 11:40 GMT+02:00 Michael Luecke :

> On 01/07/2017 09:33 AM, Mart van de Wege wrote:
>
>> Turns out the Debian default is indeed to provide time service if you
>> install NTP. Shouldn't that be limited to localhost only, so that an
>> admin must deliberately open up the service if they want to provide NTP
>> service to the outside world?
>>
>
> Did you install any package that suggested or depended on the ntp package?
> Because on my system, the ntp package is not installed. ntp is handled by
> systemd-timesyncd. So the current Debian installer does not install the ntp
> by default in my opinion.
>
> I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked into
> the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by default.
>
> I thought of opening a bug, but I'd like a second opinion
>> first. Thoughts anyone?
>>
>
> I think you should give us a little more details before filing a bug
> report (what did you install, which files did you change, ...).
>
> -- Michael
>
>

Re: NTP insecure defaults

[Michael Luecke]

On 01/07/2017 09:33 AM, Mart van de Wege wrote:

Turns out the Debian default is indeed to provide time service if you
install NTP. Shouldn't that be limited to localhost only, so that an
admin must deliberately open up the service if they want to provide NTP
service to the outside world?


Did you install any package that suggested or depended on the ntp 
package? Because on my system, the ntp package is not installed. ntp is 
handled by systemd-timesyncd. So the current Debian installer does not 
install the ntp by default in my opinion.


I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked 
into the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by default.



I thought of opening a bug, but I'd like a second opinion
first. Thoughts anyone?


I think you should give us a little more details before filing a bug 
report (what did you install, which files did you change, ...).


-- Michael

NTP insecure defaults

[Mart van de Wege]

My hosting provider recently pointed my attention to the fact that my
Jessie installation was running NTP and listening and responding to the
outside world, which is considered a security risk due to the
possibility of amplification attack DDoSes.

Turns out the Debian default is indeed to provide time service if you
install NTP. Shouldn't that be limited to localhost only, so that an
admin must deliberately open up the service if they want to provide NTP
service to the outside world?

I thought of opening a bug, but I'd like a second opinion
first. Thoughts anyone?

Mart

-- 
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.