Hello...

        In this message I was replying to a co-worker, but others might benefit.

you wrote:

> I use the following code snippet in my /etc/rc.d/rc.firewall code
which runs
> whenever I start my machine:
>
> #
> # NTP from SPECIFIC SERVERS. Make sure to re-run /etc/rc.d/rc.firewall
> # if you change the list of these servers, as we don't want to provide
> # NTP to other clients that aren't us.
> #
> for i in `awk '/^server/ && !/127.127.1.0/ {print $2}' /etc/ntp.conf`; do
> $IPCHAINS -A input -i $EXTERNALIF -p udp -s $i/32 -d $EXTERNALIP/32
ntp -j
> ACCEPT
> done
>
> =================
>
> The above causes the server to only pay attention to NTP traffic
originating
> from known servers in my /etc/ntp.conf file. (The default is to DENY all
> unknown traffic.) But because it's a good idea ot fix this sort of
problem
> generally, I'll look for a patch from RedHat. Thanks for the update.
>

     Four years ago spoofing a tcp connection was hard, but not
impossible. Today it is, in practice, impossible due to real (not
psuedo) random sequence numbers. Spoofing a udp session is still easy
due to it's conectionless properties. The NTP protocol uses udp. There
aren't _that_ many stratum 1 and 2 ntp servers. The sample code
executed "/tmp/sh", but there is no reason it couldn't execute
"/sbin/ipchains --flush". Followed by a 'real' exploit.

--
Christopher McCrory
"The guy that keeps the servers running"
chrismccpricegrabber.com
http://www.pricegrabber.com
"Linux: Because rebooting is for adding new hardware"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]