Bug #13577
closed
Network Time Protocol (NTP) Mode 6 Scanner
0%
Description
Im running a Nessuss scan against my pfsense+ firewall version pfsense+ 22.05-RELEASE (amd64) and it reports that pfsense responds to NTP mode 6. In the NTP configuration in pfsnese I have Deny mode 6 control message trap service (notrap). checked
Updated by Adam Esslinger about 2 years ago
The remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition.
Updated by Kris Phillips about 2 years ago
Checking /var/etc/ntpd.conf on 22.05, the proper "notrap" and "nomodify" config line items are present
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap
restrict source kod limited nomodify notrap
Likely the reason this is showing up is because the default allows some Mode 6 queries to be issued. If you check the box to disable queries this will stop Nessus from showing this. Bear in mind that the Status --> NTP menu will no longer work if you do this.
You can also create custom ACLs that allows pfSense to query itself, but nothing else, which should retain the Status --> NTP menu functionality.
The nomodify and notrap options should be enough to mitigate against the attacks you're concerned about, though. Nessus doesn't know whether some components of Mode 6 are disabled or not. It just checks whether queries are responded to at all.
This isn't a bug and can be closed, as this is expected behavior.
Updated by