2.2.3 Restrict NTP server to loopback interface

Information

The Apple System Preference setting to "Set date and time automatically" enables both an NTP client that can synchronize the time from known time server(s) and an open listening NTP server that can be used by any other computer that can connect to port 123 on the time syncing computer. This open listening service can allow for both exploits of future NTP vulnerabilities and allow for open ports that can be used for fingerprinting to target exploits. Access to this port should be restricted. Editing the /etc/ntp-restrict.conf file by adding a control on the loopback interface limits external access. Add the following restrict lo interface ignore wildcard interface listen lo Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network.

Solution

Perform the following to implement the prescribed state: Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf Add the following lines to the file restrict lo interface ignore wildcard interface listen lo

See Also

https://workbench.cisecurity.org/files/299

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(13)

Plugin: Unix

Control ID: be168e2cbb96ba6b44cc92087b8375810d62fc7d5527bcea5b59a1616b45d9e4