Disabling MONLIST in NTP

Published 11 Feb 2014 Read time 42 sec(s) (2590 views). Solaris

Working with various sites and during pen testing questions have arisen regarding recent vulnerabilities for publicly-facing NTP servers.

NTP server prior to version 4.2.7 apparently allows for the user to query the NTP server stats using ntpdc. If performed properly, it can cause a DDoS attack

# ntpdc server_ip
ntpdc> monlist
remote address  port   local address  count m ver code avgint  lstint
===========================================================================
host1           51679  10.100.5.57    20174 7 2    590    908       0
host2             123  10.100.5.57    26065 3 4    590   1024       0
host3             123  10.100.5.57    23413 3 4    590   1024       0
host4             123  10.100.5.57    19941 3 4    590   1024       6
host5             123  10.100.5.57    21204 3 4    590   1023       7

You can either upgrade to NTP version 4.2.7 (which disables monlist by default) or disable monlist on your NTP server. You can do this in ntp.conf by adding the noquery parameter to your restrict default line and restarting NTP service:

restrict default kod nomodify notrap nopeer noquery

Attempt the monlist again and it won't display. Only downside is that it could break your monitoring. Disabling monlist caused my Nagios check_ntp_peer check to fail.