About network time protocol (NTP) mod-6 scanning vulnerability handling

One 、 Vulnerability description

A vulnerability scanning process was carried out on the intranet network equipment once, and the vulnerability was exposed , This vulnerability can be exploited remotely NTP Server response mode 6 Inquire about . Devices that respond to these queries may be used for NTP Enlarge the attack . An unauthenticated remote attacker may pass a well-designed pattern 6 Query exploits this vulnerability , Cause reflected denial of service .

Repair suggestions ： Limit NTP Pattern 6 Inquire about .

Vulnerability level ： intermediate

Two 、 Vulnerability verification and handling

2.1、 Vulnerability verification

Execute the following command , The representative with result output turns on mode 6 Inquire about , No output means it is closed mode 6 Inquire about .

ntpq -c rv ntp_ip	// As shown below 

The latter performs ：

ntpq -pn // If the order is not followed ntp, This is a ntp Locally executed 

ntpq -pn ntp_ip   // Remote Authentication 

2、 Vulnerability handling , Limit NTP mod-6 Inquire about

modify ntp Server profile ：vi /etc/ntp.conf, Add the following

server ip_address

restrict -6 default nomodify notrap noquery

restrict :: default nomodify notrap noquery

restrict default nomodify notrap noquery

disable monitor

Configuration instructions ：

restrict IP Address mask Subnet mask Parameters // among IP The address can also be default ,default It's all about IP.
The parameters are as follows ：

ignore ： Close all NTP Online services

nomodify： The client cannot change the time parameter of the server , But the client can use the server for network timing .

notrust ： Unless the client is authenticated , Otherwise, the client source will be treated as untrusted subnet

noquery ： Do not provide client time query ： The client cannot use ntpq,ntpc Wait for the command ntp The server

notrap ： Does not provide trap Remote login ： Refused to provide pattern for matching hosts 6 Control message trap service . The trap service is ntpdq The subsystem that controls the message protocol , For remote event loggers .

nopeer ： Used to prevent the host from trying to peer to the server , And allow fraudulent servers to control the clock

kod ： Send... When access violation occurs KoD package .

After the modification is completed ：systemctl restart ntpd

Local validation ：ntpq -pn // The query is normal

Remote Authentication ：ntpq -pn ntp_ip or ntpq -c rv ntp_ip

Sum up ,mod-6 And disable , You can apply for security re scanning .