View all products
Compute
Storage
Networking
Databases
Services
Solutions
Pricing
Library
Technical Resources
Community
Marketplace
What's New
Community Questions Unusual NTP / other connections?
Log in to Ask a Question

Unusual NTP / other connections?

general

I'm trying to keep our Linode as secure as possible and am looking at the various established network connections using netstat -a (we also use OSSEC HIDS).

I'm seeing a number of questionable NTP / other connections. Here's what I see using netstat -a:

udp 0 0 liXX.:37147 disorder.primate.ne:ntp ESTABLISHED

udp 0 0 liXX.:40025 173-203-122-111.vds:ntp ESTABLISHED

udp 0 0 liXX..:37540 dp.cx:ntp ESTABLISHED

udp 0 0 liXX.:34798 sulfur.mednor.net:ntp ESTABLISHED

I'm also seeing connections to localhost.localdom from / to port 4369. This is the port opened by eJabberD, and is expected, but the notes say that it should not be accessible outside the firewall. How can I block access to that port externally. And, I'm guessing the localhost.localdomain bindings are probably normal given that circumstance, correct?

Are these normal? If not, what is the vulnerability, and what can I do about that?

5 Replies

Those would be ntpd doing its business. You should be able to correlate these against ntpq -p. I find it a little odd that they are showing up there, since ntpd is normally really quick about disposing of sockets… do you have a firewall that might be blocking these? (If so, you're going to have a bad time.)

If 4369 is only listening on localhost, then it's only listening on localhost and isn't accessible externally. The -l option to netstat will specifically tell you what's listening where.

Also, the -n and -p options to netstat are quite handy.

Interesting - I don't have a firewall blocking these ports, so I'm wondering why they are persisting? Also, these are very strange domains - why is my machine binding to these (or it looks like the other way around - why are their NTP ports binding to my Linode)? The domains look suspicious, so I'm wondering how these are getting chosen for NTP binding?

I'll check out the netstat -l / -n / -p options as well.

Thanks!

Check /etc/ntp.conf. Odds are really good it will have something like

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

(or something else involving pool.ntp.org). If so, those particular servers are somewhat randomly picked from a pool of ~2600 public NTP servers whenever ntpd starts.

If you do "ntpq -p" and all of the numbers under the "st" column are not 16 and the "refid" values are not .STEP., everything's working OK and there's probably nothing to worry about.

I don't seem to have the ntpq command or an /etc/ntp.conf file (running Ubuntu 10.04 LTS) – what are the alternatives on Ubuntu?

Ah, you're likely running openntpd. Check /etc/openntpd/ntpd.conf. I see similar behavior on netstat -u as you do on a 10.04 machine with openntpd, so it's probably normal.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct