Switching

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  NTP Mode 6 Query Vulnerability

    Posted 07-25-2022 05:32

    Hello Folks,

     

    I found your mail on the juniper platform and thank for all your help and support that help us to progress.

    I have a concern not sure here is the appropriate mean of contact if not my apology in advance.

     

    I have 2 Junipers SRX345 IN CLUSTER with 2 deferent IPs

    One act as node 0 with ip 10.x.x.61

    And node 1 with IP 10.x.x.62

    After a Nessus scanner we noticed the device respond to the NTP mode 6 query vulnerability

    I therefore try to use the firewall filter to block the ntp packets In order to fix the issue according to the below command

     

    set groups node0 system ntp server 172.x.x.1 prefer

    set groups node0 system ntp server 172.x.x.10

    set groups node1 system ntp server 172.x.x.10

    set groups node1 system ntp server 172.20.30.1 prefer

    set firewall family inet filter ACL-Admin term NTP from source-address 172.x.x.1/32

    set firewall family inet filter ACL-Admin term NTP from source-address 172.x.x.10/32

    set firewall family inet filter ACL-Admin term NTP from destination-address 10.x.x.62/32

    set firewall family inet filter ACL-Admin term NTP from protocol udp

    set firewall family inet filter ACL-Admin term NTP from destination-port ntp

    set firewall family inet filter ACL-Admin term NTP then accept

    set firewall family inet filter ACL-Admin term NTP_BLOCK from source-address 0.0.0.0/0

    set firewall family inet filter ACL-Admin term NTP_BLOCK from protocol udp

    set firewall family inet filter ACL-Admin term NTP_BLOCK from destination-port ntp

    set firewall family inet filter ACL-Admin term NTP_BLOCK then discard

    set firewall family inet filter ACL-Admin term default then accep

     

    Only that it is not working after  a rescan . what could be the problem what is missing or must be remove from the above config.

     

    I have the following issue with the EX4200

     

    set firewall family inet filter ACL-Admin term NTP from source-address 172.x.x.1/32

    set firewall family inet filter ACL-Admin term NTP from source-address 172.x.x.10/32

    set firewall family inet filter ACL-Admin term NTP from destination-address 10.x.x.5/32

    set firewall family inet filter ACL-Admin term NTP from protocol udp

    set firewall family inet filter ACL-Admin term NTP from destination-port ntp

    set firewall family inet filter ACL-Admin term NTP then accept

    set firewall family inet filter ACL-Admin term NTP_BLOCK from source-address 0.0.0.0/0

    set firewall family inet filter ACL-Admin term NTP_BLOCK from protocol udp

    set firewall family inet filter ACL-Admin term NTP_BLOCK from destination-port ntp

    set firewall family inet filter ACL-Admin term NTP_BLOCK then discard

    set firewall family inet filter ACL-Admin term default then accept

     

    Any help , explanation is much appreciate !



    ------------------------------
    DIEUDONNE LEUMALEU FEUDE
    ------------------------------


  • 2.  RE: NTP Mode 6 Query Vulnerability

     
    Posted 07-25-2022 10:31
    Are you sure your vulnerability scanner isn't simply throwing the alert based on the version of JUNOS it detects? Otherwise, are you applying the ACL to an interface?


  • 3.  RE: NTP Mode 6 Query Vulnerability

    Posted 07-26-2022 03:25
    Hello There,  yes i did apply the ACL to the mgnt Interface.  and the version running is pretty the latest one

    ------------------------------
    DIEUDONNE LEUMALEU FEUDE
    ------------------------------



  • 4.  RE: NTP Mode 6 Query Vulnerability

    Posted 07-25-2022 14:36
    I believe this vulnerability is when the device is acting as the NTP server not as the client.
    So you would not need any accept term unless you are using the SRX as the NTP server source for other devices.
    For the filter to apply against self traffic it needs to be placed onto the loopback interface of the device on the input side.  
    If it is already applied to the loopback add the count action so it can confirm the traffic is seen by the filter.


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------