為防治 open NTP server 問題,協助處理校園內電腦或資訊設備,因設定不慎而可能遭攻擊者利用來發動網路攻擊,故本組建置 open NTP server 偵測系統,並將偵測結果提供各單位網管,以便轉知其使用者參考建議作法來修正設定及自行檢測問題是否解決,藉以減少本校網路內 open NTP server 的數量。
序號 | 單位 | IP 位址 | 偵測時間 | 備註 | ||
---|---|---|---|---|---|---|
總計 0 筆記錄 |
為方便本校使用者自行檢測其電腦或網路設備是否具有 open NTP server 的問題,特建置此即時的檢測服務,目前限由本校 IP 位址來進行檢測。(2019/05/14上線試用)
Check open ntp for the target IP 140.114.XX.XX Time: Tue May 14 15:06:28 2019 check_open_ntp: 140.114.XX.XX check open ntp server with (140.114.XX.XX,,) Command: (/sbin/ntpq -c rv 140.114.XX.XX; /sbin/ntpdc -n -c monlist 140.114.XX.XX) STDOUT: 6 associd=0 status=062c leap_none, sync_ntp, 2 events, clock_step, version="4", processor="unknown", system="UNIX", leap=00, stratum=3, precision=-10, rootdelay=, rootdisp=, refid=118.163.81.61, reftime=e084df98.d4395a58 Tue, May 14 2019 14:32:56.829, clock=e084e775.028f5c30 Tue, May 14 2019 15:06:29.010, peer=39323, tc=10, mintc=3, offset=, frequency=, sys_jitter=, clk_jitter=, clk_wander= STDERR: 1 140.114.XX.XX: timed out, nothing received ***Request timed out Is 140.114.XX.XX an open ntp server? ANSWER: YES for 140.114.XX.XX
Check open ntp for the target IP 140.114.63.253 Time: Tue May 14 15:11:28 2019 check_open_ntp: 140.114.63.253 check open ntp server with (140.114.63.253,,) Command: (/sbin/ntpq -c rv 140.114.63.253; /sbin/ntpdc -n -c monlist 140.114.63.253) STDOUT: -1 STDERR: 3 140.114.63.253: timed out, nothing received ***Request timed out 140.114.63.253: timed out, nothing received ***Request timed out Is 140.114.63.253 an open ntp server? ANSWER: NO for 140.114.63.253
restrict default ignore
restrict 140.114.0.0 mask 255.255.0.0 nomodify notrap
# /sbin/ntpq -c rv 140.114.xx.xx 140.114.xx.xx: timed out, nothing received ***Request timed out
restrict default ignore server 140.114.63.1 restrict 140.114.63.1 mask 255.255.255.255 nomodify noquery notrap server 140.114.64.1 restrict 140.114.64.1 mask 255.255.255.255 nomodify noquery notrap restrict 127.0.0.1 nomodify notrap
# ntpq -c peers 127.0.0.1 remote refid st t when poll reach delay offset jitter ============================================================================== *140.114.64.1 216.239.35.0 2 u 124 256 377 0.181 1.043 0.400 +140.114.63.1 140.114.63.132 3 u 52 256 377 0.141 0.881 0.220
有些網路設備(如:無線網路閘道器、IP分享器、或路由器)本身可能具有 open NTP server 問題,需適當調整設定或以防火牆來處理,由於網路設備的類型繁多,若您知悉某裝置該如何處理,歡迎提供設備廠牌、型號、軟(韌)體版本、及其設定方式的畫面,寄至 mucheng cc.nthu.edu.tw,以利製成以下網頁,嘉惠眾人,格式及文字可參考以下作法,謝謝!
SW#conf t SW(config)#ip access-list standard 98 SW(config-std-nacl)# deny any SW(config)#ip access-list standard 99 SW(config-std-nacl)# permit host 140.114.63.1 SW(config-std-nacl)# permit host 140.114.64.1 SW(config-std-nacl)# deny any SW(config)#exit SW(config)#ntp server 140.114.64.1 SW(config)#ntp server 140.114.63.1 SW(config)#ntp access-group peer 99 SW(config)#ntp access-group serve 98 SW(config)#ntp access-group query-only 98 SW(config)#end SW#wr
SW#sh ntp associations address ref clock st when poll reach delay offset disp +~140.114.64.1 140.114.63.132 3 169 1024 377 0.8 -0.01 0.1 *~140.114.63.1 140.114.63.132 3 21 1024 377 0.5 -0.34 0.3 * master (synced), # master (unsynced), + selected, - candidate, ~ configured