NTP issue – update
From several sides I got information on the NTP problems; John Santos (via OpenVMS SIG) suggested a test for checking whether time was updated, using ntpq (it did) , and Stephen Hoffman showed me where NTPDC is located; but I found that already, and disabled monlist as was suggested – by editing TCPIP$NTP.CONF. Now monlist doesn’t work anymore – not even on localhost (directly), nor does ntpq – runs into a timeout. The router log doesn’t show any more incoming NTP traffic either – what used to be the case when monlist was not disabled. time to dig into the manuals – if available….Enabling monlist – just to be able to do some synchronization – might be a possibility – now incoming traffic to port 123 is disabled….We’ll see.
For the rest, no real surprises:
PMAS statistics for January
Total messages : 1414 = 100.0 o/o
DNS Blacklisted : 0 = .0 o/o (Files: 0)
Relay attempts : 338 = 23.9 o/o (Files: 31)
Accepted by PMAS : 1076 = 76.0 o/o (Files: 31)
Handled by explicit rule
Rejected : 445 = 41.3 o/o (processed), 31.4 o/o (all)
Accepted : 288 = 26.7 o/o (processed), 20.3 o/o (all)
Handled by content
Discarded : 137 = 12.7 o/o (processed), 9.6 o/o (all)
Quarantained : 163 = 15.1 o/o (processed), 11.5 o/o (all)
Delivered : 43 = 3.9 o/o (processed), 3.0 o/o (all)
There have been relay attempts on a few days- on 13-Jan-2014 there were about 100 from one address. Of course these failed.
31-Jan-2014
Coïncidence: NTP DOS?
Yesterday morning, Thomas Heim send out a warning on the OpenVMS SIG list that he had seen evidence on his systems of an exploit of a hole in older versions of NTP, and his warning was “Beware”.
That evening, when heading for bed, I heard my VMS server beep every few seconds. It normally does if a mail message comes in but at this rate, that means trouble.
And yes, I got loads of messages, that all concerend massive outgoing UDP traffic on port 123 – the NTP server, to a limited number of addresses but dirfferent ports on each of them. At times, there was a message concerning traffic to port 80 that was suspected to be torrent-based (quite unlikely to have UDP-traffic to a webserver…) so I got these as well.
Quite a coincidence?
Stopping the NTP server stopped the flood of messages, but after I restarted it, it restarted within a minute. So I turned my attention to the fireewall where port 123 (the standard NTP port) was still open. So I closed it and blocked all incoming traffic on port 123 – from any address.
Restarted NTP and after that, at least the flood of mail messages stopped so I wouldn’t be kept from sleeping. Whether I have to worry about time keeping remained to be seen. But a quick glance this morning reveled that time services still ru and do get an answer (the log states [Pass], so I think I don’t have to worry anymore for my time-keeping.
But there is still a lot of investigation to be done. The whole sequence styarted just after 21:00 and went on to justr after 22:00 when I stopped the NTP server; Restarted it at 22:10, the circus commenced so stopped it again at 22:11. Blocked the port in the firewall and restarted NTP at 22:16.
Just one (!) message blocked, and no problems ever since.
Next step is to investigate – as far as possible. I’ll keep the logfiles at hand (tonight they will be moved to the archives by the monthly maintenance job…).