NESSUS tool found below vulnerability on the scan of a Linux NTP server.
71783 – Network Time Protocol Daemon (ntpd) monlist Command Enabled DoS
Synopsis
Description
The version of ntpd running on the remote host has the ‘monlist’ command enabled. This command returns a list of recent hosts that have connected to the service. However, it is affected by a denial of service vulnerability in ntp_request.c that allows an unauthenticated, remote attacker to saturate network traffic to a specific IP address by using forged REQ_MON_GETLIST or REQ_MON_GETLIST_1 requests.
Furthermore, an attacker can exploit this issue to conduct reconnaissance or distributed denial of service (DDoS) attacks.
Solution
If using NTP from the Network Time Protocol Project, upgrade to NTP version 4.2.7-p26 or later. Alternatively, add ‘disable monitor’ to the ntp.conf configuration file and restart the service. Otherwise, limit access to the affected service to trusted hosts, or contact the vendor for a fix
Follow the steps given below to remove the above vulnerability from an NTP server:
- Check the version of the NTP server using the below command.
# ntpd ! ntpd 4.2.6p5 ntpd 4.2.6p5@1.2349-o Tue Jan 26 13:50:52 UTC 2016 (1) - As the above output shows that the NTP server version is less than 4.2.7-p26 so I have to update the NTP server or add disable monitor. Here I am not upgrading the NTP server so I have added disable monitor. To do this on an NTP server, edit the /etc/ntp.conf file and add the below line of code as shown below:
# vi /etc/ntp.conf . . disable monitor . . - Save the file and restart the NTP service using the below command.
# service ntpd restart Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] - Now, above said vulnerability has been removed from your server. You may verify it by running the NESSUS tool once again.