Disabling MONLIST in NTP
Working with various sites and during pen testing questions have arisen regarding recent vulnerabilities for publicly-facing NTP servers.
NTP server prior to version 4.2.7 apparently allows for the user to query the NTP server stats using ntpdc. If performed properly, it can cause a DDoS attack
# ntpdc server_ip ntpdc> monlist remote address port local address count m ver code avgint lstint =========================================================================== host1 51679 10.100.5.57 20174 7 2 590 908 0 host2 123 10.100.5.57 26065 3 4 590 1024 0 host3 123 10.100.5.57 23413 3 4 590 1024 0 host4 123 10.100.5.57 19941 3 4 590 1024 6 host5 123 10.100.5.57 21204 3 4 590 1023 7
You can either upgrade to NTP version 4.2.7 (which disables monlist by default) or disable monlist on your NTP server. You can do this in ntp.conf by adding the noquery parameter to your restrict default line and restarting NTP service:
restrict default kod nomodify notrap nopeer noquery
Attempt the monlist again and it won't display. Only downside is that it could break your monitoring. Disabling monlist caused my Nagios check_ntp_peer check to fail.