search

opnsense / ports

OPNsense ports on top of FreeBSD
https://opnsense.org/
Other
155 stars 112 forks source link

ntp is leaking a lot of information about the underlying system by default #195

Open jvoisin opened 2 months ago

jvoisin commented 2 months ago

It would be nice if the ntp service would refrain from giving its exact version, on what CPU it's running, as all as the operating system and its exact version. I'd rather have guest on my LAN have to do a bit more efforts in order to see if I'm running outdated/exploitable software.

$ nmap -sU -p 123 --script ntp-info 192.168.0.1
Starting Nmap 7.95 ( https://nmap.org ) at 2024-05-20 15:30 CEST
Nmap scan report for sw1 (192.168.0.1)
Host is up (0.0028s latency).

PORT    STATE SERVICE
123/udp open  ntp
| ntp-info: 
|   version: ntpd 4.2.8p17@1.4004-o Tue Mar  5 15:52:47 UTC 2024 (1)
|   processor: amd64
|   system: FreeBSD/13.2-RELEASE-p11
|   leap: 0
|   stratum: 2
|   precision: -22
|   rootdelay: 20.066
|   rootdisp: 18.457
|   refid: 82.64.45.50
|   reftime: 0xe9f5cdb3.cfd11539
|   clock: 0xe9f5cefe.b018e335
|   peer: 29464
|   tc: 8
|   mintc: 3
|   offset: -0.506465
|   frequency: -37.416
|   sys_jitter: 0.246470
|   clk_jitter: 0.241
|_  clk_wander: 0.038\x0D
Service Info: OS: FreeBSD/13.2-RELEASE-p11

Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds
$
fichtner commented 2 months ago

hey @jvoisin,

Not sure if this can be configured in the daemon / config file. Do you have any insights?

If you don't need the NTP to give local time I suppose you can set it to client mode which starts and exits and it's unable to expose anything. Querying from trusted LAN may be what it is when wanting to provide time to LAN.

Cheers, Franco

jvoisin commented 2 months ago

Not sure if this can be configured in the daemon / config file. Do you have any insights?

I don't know :/

If you don't need the NTP to give local time I suppose you can set it to client mode which starts and exits and it's unable to expose anything. Querying from trusted LAN may be what it is when wanting to provide time to LAN.

Sure, I can disable ntp, but I thought it might be good to change this behaviour, since OPNSense is kinda a security-oriented product :)

fichtner commented 2 months ago

It's not disabling it. The client mode exits after setting the time so that it can not be queried.

Changing the default to client mode is a possibility, but changing existing installs is tricky because we don't know who relies on the NTP server running in their network.

Cheers, Franco

jvoisin commented 2 months ago

I meant "disabling the information leakage", not the ntpd :)