"Restrict NTP mode 6 queries"
search cancel

"Restrict NTP mode 6 queries"

book

Article ID: 375656

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Message: Network Time Protocol (NTP) Mode 6 Scanner vulnerability on VCSA

You can see the details similar to below:

 

Plugin Output:
  Nessus elicited the following response from the remote
  host by sending an NTP mode 6 query

'version=""ntpd xxxxxxxxx"",
processor=""xxxxxxxxx
precision=-xxxxxxxxx
reftime=xxxxxxxxx
tc=xxxxxxxxx
sys_jitter=xxxxxxxxx

Solution is to "Restrict NTP mode 6 queries"

 

Environment

VMware vCenter Server 7

VMware vCenter Server 8

 

Cause

This is flagged by the scanner to enhance the security posture

 

Resolution

Before proceeding please take a backup of the original file, for example:

cp /etc/ntp.conf /etc/ntp.conf.bak

 

You can restrict NTP mode 6 queries on VCSA by adjusting the NTP daemon (ntpd) configuration.

 

Step 1: Access the VCSA Shell

Log in to the VCSA via SSH as the root user. You may need to enable SSH access and the Bash shell on the VCSA if they are not already enabled.
To enable SSH and Bash shell:
Access the VCSA appliance management interface (https://<vcsa-ip>:5480).
Go to Access and enable SSH login and Bash shell.

Open a Shell session by typing shell.
 

Step 2: Edit the NTP Configuration

Edit the NTP configuration file using a text editor like vi. The ntp.conf file is usually located at /etc/ntp.conf 
vi /etc/ntp.conf

Restrict mode 6 queries by adding or modifying the following lines in ntp.conf:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery


The nomodify keyword prevents alteration of NTP settings by unauthorized clients.
The noquery keyword disallows information queries by unauthorized clients, which includes mode 6 queries.
-6 specifies IPv6 restrictions if you are using IPv6; otherwise, use restrict default for IPv4.

 

Step 3: Restart the NTP Service

Restart the NTP daemon to apply the changes:
systemctl restart ntpd

 

Step 4: Verify the Configuration

Check the status of the NTP service to ensure it’s running correctly after the changes:

systemctl status ntpd

 

Verify that the restrictions are in place by using the ntpq command:

ntpq -c rv


This command should show that the server is no longer responding to mode 6 queries.

Powered by Wolken Software