Simple Steps to Improve NTP Server Security

There are a number of simple steps that can be carried out to improve the security of a NTP server.

 

1. Change Default Password

The NTP appliance is provided with a default password. This should be changed as soon as possible to a complex string of characters. Passwords should be kept secret and only provided to network administrators.

 

2. Apply NTP Daemon Restrictions

Apply default restrictions to the NTP daemon to prevent possible misuse by hosts on your LAN. Consider adding restrictions to prevent host modification of NTP settings, querying of NTP settings, ntpdc control message protocol traps and peer associations being formed.

The following lines can be added to the “NTP Additional Configuration File” on the devices “NTP” configuration web page.

For IPv4 devices (eg TimeTools SR series NTP servers) add the following restrictions:

#-------------------------------------------------
# Give localhost full access rights (required):
restrict 127.0.0.1 nomodify

# Prevent remote querying IPv4
restrict default limited kod nomodify notrap nopeer noquery 
#-------------------------------------------------

 

For IPv4 and IPv6 enabled devices (eg TimeTools T-series NTP servers) add the following restrictions:

#-------------------------------------------------
# Give localhost full access rights (required):
restrict 127.0.0.1 nomodify

# Prevent remote querying IPv4
restrict default limited kod nomodify notrap nopeer noquery

# Give IPv6 localhost full access rights (required):
restrict 0::1 nomodify

# Prevent remote querying IPv6
restrict -6 default limited kod nomodify notrap nopeer noquery
#-------------------------------------------------

 

3. Use NTP Authentication

Use NTP MD5 authentication where possible. NTP authentication matches encrypted keywords on both client and server. It is entirely optional, so devices that do not support it can still obtain time from the NTP server.

 

4. Disable Protocols

Disable all unnecessary protocols. Once a NTP server has been configured, many protocols can be disabled.

For very sensative installations, consider disabling all protocols – HTTPS, HTTP, SSH, FTP, Telnet. Then monitor the device using a RS232 serial console hardware connection to a local PC.

SNMP traps or Remote Syslogging can also be used for monitoring, if available.

Protocols can be disabled from the devices “Network” configuration web page.

 

4. Use RS232 Serial Console Port For Configuration and Monitoring

The RS232 Serial Console Port allows the NTP server to be monitored or configured via a physical RS232 serial link to a local PC running a dumb terminal emulator. Using the console port for monitoring and configuration requires physical access to the device and is considered more secure than network protocols.

 

Securing a NTP server using a RS232 serial connection

 

5. Isolate and Protect Network

Isolate the network on which the NTP server is installed from the Internet or use a firewall.

Andrew ShintonAbout Andrew Shinton
Andrew Shinton is the joint founder and Managing Director of TimeTools Limited. He has a BSc (Hons) degree in Computer Science. Andrew has over 20 years experience of GPS systems and Network Time Protocol (NTP) in the Time and Frequency Industry.

Share: