Closed jvoisin closed 2 months ago
fichtner
commented
5 months ago hey @jvoisin,
Not sure if this can be configured in the daemon / config file. Do you have any insights?
If you don't need the NTP to give local time I suppose you can set it to client mode which starts and exits and it's unable to expose anything. Querying from trusted LAN may be what it is when wanting to provide time to LAN.
Cheers, Franco
jvoisin
commented
5 months ago Not sure if this can be configured in the daemon / config file. Do you have any insights?
I don't know :/
If you don't need the NTP to give local time I suppose you can set it to client mode which starts and exits and it's unable to expose anything. Querying from trusted LAN may be what it is when wanting to provide time to LAN.
Sure, I can disable ntp, but I thought it might be good to change this behaviour, since OPNSense is kinda a security-oriented product :)
fichtner
commented
5 months ago It's not disabling it. The client mode exits after setting the time so that it can not be queried.
Changing the default to client mode is a possibility, but changing existing installs is tricky because we don't know who relies on the NTP server running in their network.
Cheers, Franco
jvoisin
commented
5 months ago I meant "disabling the information leakage", not the ntpd :)
doktornotor
commented
2 months ago Well, you can disable this with noquery - see Access restrictions - Disable ntpq and ntpdc queries.
Will break things that use ntpq - such as the status page. "Statistics unavailable because ntpq and ntpdc queries are disabled in the NTP service settings." Probably could be fixed with not adding restrict noquery for 127.0.0.1 and ::1
Don't even need nmap to test this, ntpq -c rv 127.0.0.1 "leaks" the same info.
doktornotor
commented
2 months ago You can check / test with https://github.com/opnsense/core/pull/7830.
Note: (The indentation of status_ntpd.php is bad because it was already bad in the original file. Fixing it makes loads of irrelevant changes in the commit.
doktornotor
commented
2 months ago Looks like success to me. With that Disable ntpq and ntpdc queries field checked and Save to appy the config:
# grep restrict /var/etc/ntpd.conf
restrict source kod limited nomodify noquery notrap
restrict default kod limited nomodify noquery notrap nopeer
restrict -6 default kod limited nomodify noquery notrap nopeer
restrict 127.0.0.1 kod limited nomodify notrap nopeer
restrict ::1 kod limited nomodify notrap nopeer
# ntpq -c rv 127.0.0.1
associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync,
version="ntpd 4.2.8p18@1.4062-o Thu Aug 8 00:32:10 UTC 2024 (1)",
processor="amd64", system="FreeBSD/14.1-RELEASE-p3", leap=00, stratum=5,
precision=-21, rootdelay=55.503, rootdisp=271.973, refid=126.195.87.175,
reftime=ea7ea512.eca8ab94 Sun, Sep 1 2024 10:32:18.924,
clock=ea7ea593.e3a44086 Sun, Sep 1 2024 10:34:27.889, peer=3296, tc=6,
mintc=3, offset=-0.285238, frequency=+15.517, sys_jitter=0.245637,
clk_jitter=0.261, clk_wander=0.000# ntpq -c rv 192.168.0.254
192.168.0.254: timed out, nothing received
***Request timed outRemotely from another box:
# nmap -sU -p 123 --script ntp-info 192.168.0.254
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-01 10:35 CEST
Nmap scan report for gw.example.com (192.168.0.254)
Host is up (0.00060s latency).
PORT STATE SERVICE
123/udp open ntp
MAC Address: 00:0D:B9:xx:xx:xx (PC Engines GmbH)
Nmap done: 1 IP address (1 host up) scanned in 20.32 secondsNetwork Time - Status page still working even with noquery enabled.
Now, do NOT ask me how to migrate the existing config for people who changed the defaults before with the triple-inverted "logic" in the relevant code. Someone else, please. My brain hurts.
It would be nice if the
ntpservice would refrain from giving its exact version, on what CPU it's running, as all as the operating system and its exact version. I'd rather have guest on my LAN have to do a bit more efforts in order to see if I'm running outdated/exploitable software.