Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2120
  • Last Modified:

hardening of NTP & DNS servers

Currently we have the following in our Redhat NTP servers.  
server xx.pool.ntp.org
restrict xx.pool.ntp.org nomodify notrap nopeer noquery
server 0.yy.pool.ntp.org
restrict 0.yy.pool.ntp.org nomodify notrap nopeer noquery
server 1.yy.pool.ntp.org
restrict 1.yy.pool.ntp.org nomodify notrap nopeer noquery

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more commonly used &
will not cause disruption:
http://www.brennan.id.au/09-Network_Time_Protocol.html

Q2:
We have Cisco routers/devices acting as NTP server, what are
the hardening commands/settings that generally people apply?

Q3:
We have Windows 2008 R2 & Redhat Linux running as DNS.
What are the hardening needed (& how to verify the hardening
has been implemented) to harden the DNS (not the OS but the
DNS function)
0
sunhux
Asked:
sunhux
5 Solutions
 
David Johnson, CD, MVPOwnerCommented:
don't allow ntp/dns requests from outside the local area network.
0
 
arnoldCommented:
Hardening as was pointed out by dAvid deals with services that are generally accessed from outside your network.

Your question suggests only one answer which is you need to harden the workstations as they have to be compromised through a user accessing a compromised site that in turn compromises the workstation or you have a rogue user with access on the network.

Make sure your systems/routers have the vendor released updates/security fixes.
Nanog is a good network related security publication.  Cert.org deals with system/OS notifications.

On your DNS, some use forwarders, while letting your systems go and fetch all records uses more bandwidth, it "reduces" the risk should the forwarder when one issued was poisoned with invalid/wrong records.
0
 
David Johnson, CD, MVPOwnerCommented:
The most effective hardening is least privilege operation..  run as a standard user and only sudo or run as administrator for tasks that require administrator priviledges .. Over 90% of the windows attacks are mitigated by running as a standard user.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
btanExec ConsultantCommented:
For the DNS, you may want to check out slide which highlights the security considerations for the DNS and you may want to focus on the section on DNS Hardening part covering - local file system,application, managing access control

http://www.academia.edu/3065550/DNS_Security_and_Hardening_-_Linux

Also Cisco shared more information on locking down (believe you have also saw the US CERT DNS amplification advisory in your past EE posting)
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

It also stated others (such as Team Cymru) also provides specific like a Secure BIND Template that operators can use as a guide for hardening their DNS servers. The official list of unallocated Internet addresses is maintained by Team Cymru. Additional information about filtering unused addresses is available at the Bogon Reference Page.


For NTP aspects, Cisco site shares more also which we may want focus on
- configure ACLs to restrict access to the NTP services on the providing device.  
- configure your NTP servers and clients to use authentication

http://oreilly.com/catalog/hardcisco/chapter/ch10.html

Excerpt

Make sure all routers use NTP to synchronize their time.

On larger networks requiring more accurate time, use redundant timeservers and synchronize routers to multiple servers to prevent a single point of failure.

Use the ntp master command only when external time synchronization is not possible--i.e., in networks not connected to the Internet.

Make sure all routers have ACLs preventing them from becoming public time synchronization servers. These ACLs should restrict what servers the router synchronizes to and systems the router will synchronize.

Use NTP authentication between clients, servers, and peers to ensure that time is synchronized to approved servers only.

Also for NTP consideration which is can be miss out as we tend to be too focus on hardening the configuration is the stratum connection if applicable. Normally only stratum 2 servers should connect to stratum 1 server. The loss precision by having inconsistency in connection due to abuse may indirectly leads to servers whose hosted applications that require more precision than that of a normal computer network, to miss the sync and can impact the business running. OF course, it is ideal that such applications can also consider receiving its time code via a multitude of trusted sources.
0
 
sunhuxAuthor Commented:
Think I've got most of the answers, just 2 more:

Q1:
There are further hardening that could be done so wud like
to get advice here which ones in the URL below are more
commonly used & will not cause disruption:
  http://www.brennan.id.au/09-Network_Time_Protocol.html

Is there any hardening on Windows 2008 R2 that act as AD
/DNS (not Windows hardening but AD/DNS) ? Excuse me if
I did not get your point
0
 
arnoldCommented:
Your hardening concentration seems to be in the wrong emphasis.  I.e. In a car you are focusing on how to harden the controls on the heater/AC and radio rather than hardening the entry points.
Both antp and DNS teased on your question are internally used and do not see direct requests from unknown sources.  Maintaining them up to date will deal with DNS poisoning where acces sitea redirects the queries to fictitious sites.  Similarly with NTP configuring them to use trusted sources, or eliminating any external source, configure one or two internal systems as an ntp server to which the remaining will synchronize.

As to your latest question, pick the one you are comfortable with unless you choose an untrusted external DNS server to which your DNS will forward its requests or an an untrusted NTP reserved! you should be fine,  (the impact of an untrusted NTP deals with Time shift/drift.  Usually The local system will not allow a single large deviation I.e. A 30 minute shift might be the largest in one step.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now