Check if NTP is vulnerable
There are a lot of NTP reflection attacks currently being launched, it is therefore vital that you check if you version of NTP is vulnerable.
Run xnpdc as root:
xntpdc> host <Your server name>
current host set to XXXX
***Server reports data not found
The monlist command should not return any results. You can also launch it directly from the command-line as follows:
# xntpdc -c monlist <IP_Address>
If you have any questions about the configuration of the “/etc/ntp.conf” file you can consult the sample files provided as standard by AIX in the “/usr/samples/xntp” directory:
If you are using AIX 7.1 you should already have NTPv4 installed, otherwise if you are running AIX 6.1 TL6 (or later) you can download the packages from the “AIX Web Download Pack Programs” site.
NTP4 Install images v126.96.36.199 for AIX 7.1
ntp4-188.8.131.52.tar (1.45 MB)
README-184.108.40.206.txt (317 B)
NTP4 Install images v220.127.116.11 for AIX 6.1
ntp4-18.104.22.168.tar (1.45 MB)
README-22.214.171.124.txt (317 B)
It is a good idea to install this version because even the standard version of NTPv4 on AIX 7.1 is affected by following vulnerabilities:
CVE-2014-9293: Weak default key
CVE-2014-9294: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys
CVE-2014-9295: Buffer overflow
NTP4-126.96.36.199 for AIX 6.1 contains the fix for the above vulnerabilities.
To restrict the hosts that NTP will respond to edit the “/etc/ntp.conf” file:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
You can also further harden your NTP daemon by installing keys:
To use the authentication key file /etc/ntp.new.keys when restart the xntpd daemon, as follows:
# /usr/sbin/xntpd -k /etc/ntp.new.keys
The keys are stored in “/etc/ntp.keys” and the daemon will ignore requests from anyone who does not use this key.
If you are using NTPv3 the xntpd executable does not exist.
You can check or switch between NTP versions by manipulating the symbolic-links:
$ ls -ld /usr/sbin/ntp*
drwxr-xr-x 2 root system 256 Dec 15 18:06 /usr/sbin/ntp3
lrwxrwxrwx 1 root system 22 Dec 15 18:06 /usr/sbin/ntpdate -> /usr/sbin/ntp3/ntpdate
lrwxrwxrwx 1 root system 19 Dec 15 18:06 /usr/sbin/ntpq -> /usr/sbin/ntp3/ntpq
lrwxrwxrwx 1 root system 23 Dec 15 18:06 /usr/sbin/ntptrace -> /usr/sbin/ntp3/ntptrace