There are a number of simple steps that can be carried out to improve the security of a NTP server.
1. Change Default Password
The NTP appliance is provided with a default password. This should be changed as soon as possible to a complex string of characters. Passwords should be kept secret and only provided to network administrators.
2. Apply NTP Daemon Restrictions
Apply default restrictions to the NTP daemon to prevent possible misuse by hosts on your LAN. Consider adding restrictions to prevent host modification of NTP settings, querying of NTP settings, ntpdc control message protocol traps and peer associations being formed.
The following lines can be added to the “NTP Additional Configuration File” on the devices “NTP” configuration web page.
For IPv4 devices (eg TimeTools SR series NTP servers) add the following restrictions:
#------------------------------------------------- # Give localhost full access rights (required): restrict 127.0.0.1 nomodify # Prevent remote querying IPv4 restrict default limited kod nomodify notrap nopeer noquery #-------------------------------------------------
For IPv4 and IPv6 enabled devices (eg TimeTools T-series NTP servers) add the following restrictions:
#------------------------------------------------- # Give localhost full access rights (required): restrict 127.0.0.1 nomodify # Prevent remote querying IPv4 restrict default limited kod nomodify notrap nopeer noquery # Give IPv6 localhost full access rights (required): restrict 0::1 nomodify # Prevent remote querying IPv6 restrict -6 default limited kod nomodify notrap nopeer noquery #-------------------------------------------------
3. Use NTP Authentication
Use NTP MD5 authentication where possible. NTP authentication matches encrypted keywords on both client and server. It is entirely optional, so devices that do not support it can still obtain time from the NTP server.
4. Disable Protocols
Disable all unnecessary protocols. Once a NTP server has been configured, many protocols can be disabled.
For very sensative installations, consider disabling all protocols – HTTPS, HTTP, SSH, FTP, Telnet. Then monitor the device using a RS232 serial console hardware connection to a local PC.
SNMP traps or Remote Syslogging can also be used for monitoring, if available.
Protocols can be disabled from the devices “Network” configuration web page.
4. Use RS232 Serial Console Port For Configuration and Monitoring
The RS232 Serial Console Port allows the NTP server to be monitored or configured via a physical RS232 serial link to a local PC running a dumb terminal emulator. Using the console port for monitoring and configuration requires physical access to the device and is considered more secure than network protocols.
5. Isolate and Protect Network
Isolate the network on which the NTP server is installed from the Internet or use a firewall.
