netsec-sig - Re: [Security-WG] I2 - Strange xntpd behavior
Subject: Internet2 Network Security SIG
List archive
- From: John Kristoff <>
- To: gcbrowni <>
- Cc: "" <>
- Subject: Re: [Security-WG] I2 - Strange xntpd behavior
- Date: Fri, 22 Sep 2017 10:29:13 -0500
- Ironport-phdr: 9a23:w517ihSTIKPeOGBCw01PvUdyyNpsv+yvbD5Q0YIujvd0So/mwa69YBGN2/xhgRfzUJnB7Loc0qyN4vCmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbB/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/m/XhMJukaxVoxCupxJlw4HbfI6bO+Fzfr/Efd4AWWZNQtpdWi5HD4ihb4UPFe0BPeNAoof5oFsOrR2+DhSpCuP1yz9InWP23ao00+QvDArL2w4gH84NsHnPsdr6Kr8SXvqozKnM1znMce5Z2Srk5YXObxsvoumMUKptfcfe1UUjDR7Jg1GOpYD/IT+Zy+cAv3KG4+duS+6ijXMspRtrrTi13Mgsj5HEhoILxVDA8iV02Jw6Jd2iR05hed6oCppQtyaAN4RqWM8tXn9nuD4gxb0bvZ63ZjYFx4k6xxLHavyHdZaH4g77WeqMLjp0mGhpdK+7ihqs60Ss1PDwW8qu3FpXoCdJjMHAtnUX2BzS7siHROF9/kCk2TuX1QDT9uJELFspmqXFM54u2KMwlp4JvUvdAyD2hV36jLWKeUU85uio9+Pnb639ppCCK4B0lxv+MqUyms2/GOg5PAcOUnOf+eS9z73j4Vb5TKtQgv03lKnZrI7VJd4dpqGnHw9ZzJwv5AiiADe7g5wkmiwIJ1hffw2BjsC9NFrEOvfnC/aXjFCrmj5vwffNeLz8RJjBMy6Qqrr5eadB7Bte1AkbxNBW/YoSC7YbK7T/V1f4qdieAxMkYCKuxOOyKtJ90Ms9Q2OUHqiXPuuGs0OLzu4iO+CRYMkYtCureKtt3OLnkXJswQxVRqKux5ZCMH0=
On Fri, 22 Sep 2017 14:53:24 +0000
gcbrowni
<>
wrote:
> 1) The first first term in the filter is a syslog that matches on
> "port 123". If it matches any tcp/udp on port 123 it syslogs and then
> next terms. I see our normal and expected NTP traffic being
> syslogged. Our final "deny" term is showing the non-authorized
> attempts to connect to us. But I DONT see anything from A.B.C.D on
> port 123.
Will your loopback filter block outgoing packets? Probably not. What
is in the system's ntp.conf?
> 2) I don’t think you can send NTP data to the router on any port
> other than 123. Correct?
You could, but if there is no listener... :-) Not sure how that would
work.
> 6) Is there any reason for XNTPD to generate this message from an
> event OTHER than receiving an NTP packet through the filter. In
> response to something other than NTP? Trace, ping, a shell
> command/login? I don’t thin this can happen.
If it has A.B.C.D. as a clock source. Perhaps there is a process on
the system that is doing something? Is A.B.C.D. an NTP server or
client as far as you know?
John
- [Security-WG] I2 - Strange xntpd behavior, gcbrowni, 09/22/2017
- Re: [Security-WG] I2 - Strange xntpd behavior, Andrew Gallo, 09/22/2017
- Re: [Security-WG] I2 - Strange xntpd behavior, gcbrowni, 09/22/2017
- Message not available
- Re: [Security-WG] I2 - Strange xntpd behavior, John Kristoff, 09/22/2017
- Re: [Security-WG] I2 - Strange xntpd behavior, Richard Angeletti, 09/22/2017
- Re: [Security-WG] I2 - Strange xntpd behavior, gcbrowni, 09/25/2017
- Re: [Security-WG] I2 - Strange xntpd behavior, Andrew Gallo, 09/22/2017
- <Possible follow-up(s)>
- Re: [Security-WG] I2 - Strange xntpd behavior, John Kristoff, 09/22/2017
Archive powered by MHonArc 2.6.19.