Fuel for OpenStack

ntp available on vrouter interface

Asked by AlexV on 2015-11-13

The NTP server running on the control nodes is exposed trough the vrouter interface. Is this deliberate? Since it's exposed, and the monitor option isn't disabled, it can be, and it actually is, used for an amplification attack.

I've disabled it by changing the configuration in ntp.conf, but maybe it's a better solution to just prevent ntp to listen on all interfaces?

Question information

Language:: English Edit question

Status:: Expired

For:: Fuel for OpenStack Edit question

Assignee:: No assignee Edit question

Last query:: 2015-11-13

Last reply:: 2015-11-29

Link existing bug

Revision history for this message

AlexV (alexver) said on 2015-11-13:

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

root@node-1:~# ip netns exec vrouter netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 10.1.202.1:domain       *:*                     LISTEN
udp        0      0 *:3780                  *:*
udp        0      0 *:45980                 *:*
udp        0      0 10.1.202.1:domain       *:*
udp        0      0 240.1.0.3:ntp           *:*
udp        0      0 10.1.202.1:ntp          *:*
udp        0      0 X.X.X.X:ntp        *:*
udp        0      0 240.0.0.6:ntp           *:*
udp        0      0 localhost:ntp           *:*
udp        0      0 *:ntp                   *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     364476   /var/run/conntrackd.ctl
unix  2      [ ]         DGRAM                    325364
root@node-1:~# ip netns exec vrouter iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

alex@rMBP  ~  ntpdc -n -c monlist XXX
remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
10.1.202.4               123 10.1.202.1          4164 3 4      0    917      44
194.171.167.130          123 185.64.137.1        4056 4 4      0    941     208
10.1.202.5               123 10.1.202.1          4335 3 4      0    881     287
10.1.202.6               123 10.1.202.1          4275 3 4      0    893     464
84.29.91.205           53335 185.64.137.1           4 3 4      0    274     635
192.87.106.2             123 185.64.137.1        4065 4 4      0    939     785
217.77.132.1             123 185.64.137.1        4064 4 4      0    940     786
10.1.202.7               123 10.1.202.1          4350 3 4      0    878    1026

Revision history for this message

Launchpad Janitor (janitor) said on 2015-11-29:

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

To post a message you must log in.

Ask a question

Edit question

Fuel for OpenStack

ntp available on vrouter interface

Question information

Related bugs

Related FAQ:

Subscribers