2

I recently noticed people attempting to ntpd reflection attacks on my server. So my questions are, how necessary is it that ntpd stays enabled, and how can I enable and disable it?

saladCracker
  • 23
  • 4

3 Answers3

2

A default install of Ubuntu 16.04 or 18.04 desktop doesn't include ntpd. (The default server installer doesn't enforce it either, although some cloud images include it.) Rather, systemd-timesyncd is the default SNTP client. Because it's only an SNTP client (not an NTP server), it doesn't respond to requests from outside at all (barring potential bugs in systemd-timesyncd). You can see what systemd-timesyncd is doing using timedatectl.

Other points of interest:

  • The default configuration of ntpd under Ubuntu 16.04 includes specific protections to prevent it being used in reflection attacks.

  • Under Ubuntu 18.04, the default NTP server (pre-baked into some images) was switched to chronyd, which has a better security history and more secure codebase, according to a recent report.

Paul Gear
  • 3,938
  • 15
  • 36
1

It is not necessary that ntpd stays enabled. It is nice to have a correct time, but not necessary. Most current default configurations should restrict access to the ntp server to protect against reflection attacks.

To enable and disable for the next reboot:

systemctl enable ntpd
systemctl disable ntpd

To start and stop immendiately

systemctl start ntpd
systemctl stop ntpd
RalfFriedl
  • 3,008
  • 4
  • 12
  • 17
1

In addition to what RalfFriedl said, it's also worth noting that some software relies on the clock to be in sync. This is usually for licensing situation or key pair situation (sometimes 2FA requires it as well).

Just be conscious of what you're running and what it requires. If you start seeing weird errors with licensing or certificates I'd double check NTP first.

In regards to NTP reflection attacks, I'm fairly certain though you can avoid unwanted visitors requesting NTP data by closing port* 123 to inbound traffic. This way you can still make NTP outbound requests and receive their responses and block incoming attacks. You really shouldn't need that port to inbound traffic unless you are running an NTP server. You could also disable things like the monitor command in NTP to harden your NTP server. (this post is old but may help: https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300/)

I hope that answers your question :D

*: Edit for clarity

Ryan Smith
  • 33
  • 2
  • 8