RE: [suse-security] Looking for a secure time service
I'd like to run a time service like 'xntp' on my firewall machine (Kernel 2.4 w/ iptables, no DMZ) which should be able to
a) connect to public Internet time servers (obviously), b) do so with a minimum security impact, and c) send NTP broadcasts to my internal network.
Looking at b), is NTP a wise protocol to use? Are there more secure protocols? If you have some setup tips or sample 'iptables' scripts to share, that'd be fine. And if there's a FAQ for this which I missed, kindly point me to it. Thank you!
NTP can be configured to be pretty secure. As Kurt already noted, UDP is easy to spoof, but NTP time packets (responses) have to arrive in a pretty small time window not to be discarded by the data grooming algorithm. You should synchronise to several sources to allow the NTP daemon to identify falsetickers. Someone intent on muddling your time would have to impersonate several of the servers you query in order for an attack to succeed. More danger probably lies in a corruption of the daemon itself. It runs as root and a rather nasty buffer overflow (I believe) was discovered rather recently. Looking into the CHANGES files of the 4.0.99m-rc1 release, the authors seem to be making an attempt at cleaning out buffer overflow susceptible code. The other problem is that you can establish control connections to an NTP daemon using the same interface as the programs ntpq and ntpdc from the NTP distro. You should definitely use the access control options of NTP to not allow those from the Internet and from the inside only after successful authentication. More recent versions of the distribution allow you to use public key authentication for NTP time datagrams, but I don't know of any RPM (except my own) that has it compiled in. Tobias
Ok now that I've had a decent night's rest and my brain is working here is a somewhat more comprehensive posting. UDP + firewalls and "keeping state". It's sort of a pseudo state, the firewalls remembers udp packets, for example a firewall rule for "keep state, allow udp packets to/from port 53" means an outgoing packet to a dns server results in a small window being opened for the return packet. Of course an attacker can still insert a spoof packet (not hard either, just keep sending spoofed dns responses from well known servers) but that should hopefully be noticed. NTPD and root. There is a modified NTP daemon that used kernel capabilities, one of which is modifying system time, so it can drop root privileges once it binds to port 123, for the life of me I can't remember which vendor ships it though (check http://security-archive.merton.ox.ac.uk/). Kurt
participants (2)
-
Kurt Seifried
-
Reckhard, Tobias