Secure NTP configuration – Aurlen Technologies

Tips:

1. Ensure you have the restrictions in ntp.conf

restrict default ignore
restrict -6 default ignore

2. Disable monitor to protect of the CVE-2013-5211 vulnerability

disable monitor

3. Use “nomodify nopeer noquery notrap” for each IP and network your NTP system connects or receive connections.

restrict 200.148.5.9 nomodify nopeer noquery notrap
restrict 192.168.123.0 mask 255.255.255.0 nomodify nopeer noquery notrap

Example NTP server configuration.

#Deafult policy, deny any

restrict default ignore
restrict -6 default ignore

# For local IPs allow all 

restrict 127.0.0.1
restrict -6 ::1
restrict 192.168.123.2


#For the local machine we want to allow all time, query and administrative access. That is, not to list any restrictions:

keys /etc/ntp.keys
trustedkey 1
requestkey 1

#Backup time source when none of the real sources are available.
server 127.127.1.0
fudge 127.127.1.0 stratum 10

#NTP servers 
server 200.148.5.9 iburst
server 0.pool.ntp.org iburst


#Disable any operation from NTP server

restrict 200.148.5.9 nomodify nopeer noquery notrap
restrict 0.pool.ntp.org nomodify nopeer noquery notrap


# Allow ntp sync from internal IPs 

#Public IPs
restrict 200.148.5.0 	mask 255.255.255.0 nomodify nopeer noquery notrap
restrict 189.144.62.0 	mask 255.255.255.0 nomodify nopeer noquery notrap

#Internal networs

restrict 192.168.123.0   	mask 255.255.255.0 nomodify nopeer noquery notrap
restrict 10.10.0.0    		mask 255.255.0.0 nomodify nopeer noquery notrap


# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.

disable monitor

Example NTP Client configuration

#Deafult policy, deny any

restrict default ignore
restrict -6 default ignore


driftfile /var/lib/ntp/drift/ntp.drift
logfile /var/log/ntp

# For local IPs of I200  allow all 
restrict 127.0.0.1
restrict -6 ::1

#NTP server for LAN
server 192.168.123.2 iburst
server 10.10.31.1 iburst

restrict 192.168.123.2 nomodify nopeer noquery notrap
restrict 10.10.31.1  nomodify nopeer noquery notrap

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.

disable monitor