Hi!

Yesterday I installed Lubuntu 16.04 to my HDD and discovered some very strange traffic both incoming and outgoing from the ntp port, listed under 123/udp.

After researching the connecting IPs I found out that most of them correspond to local software businesses and IT firms.

I checked the traffic with iftop, which showed that multiple bytes, in some cases even +1KB, was sent and received to and from those IPs.

Screenshot: https://s12.postimg.org/w647skop9/screen.png


.)Do I have to be worried, that those services transmitted malware or other harmful code?

.)How can I permanently block those connections or port?

I have tried using the following, unsuccessfully.

-->with the built in firewall


sudo ufw deny 123/udp


sudo ufw deny ntp

-->with iptables


sudo iptables -A OUTPUT -p udp --dport 123 -j DROP


sudo iptables -A INPUT -p udp --sport 123 -j DROP

Thank you!

Last edited by buntuluxx; 3 Hours Ago at 02:40 PM.

The NTP daemon in Lubuntu uses port 123 usually UDP. You need that running to synchronize time. The utility "iftop" might not be what gives the best overview. Try "netstat" instead.

(About blocking it with iptables, that's not necessarily a good idea. But if you really want to block it, you'll need to use -I for insert so that the new rules come at the top of the chain. Since you are planning to block your own traffic you might want to use REJECT instead of DROP at least for the OUTPUT chain.)

Thank you for the reply!

That seems to have worked, thank you.

Are ntp and 123/udp the same thing, or is one a part of the other?

Could only blocking 123/udp still leave some room for other IPs to connect via ntp?

You can try -ntp or -ntlp. Those have nothing to do with NTP per se just that the useful options in this case happen to be -n, -t, -p, and sometimes -l. See the manual page for what those options do:

Ok after revıewıng the documentatıon I agree that -I ıs the the best optıon for thıs case
Iftop no longer shows any ntp traffıc whıch ıs awesome

Am I good now or ıs there somethıng else to do ın order to maıntaın thıs?

thanks

One thing left to do is to figure out how to synchronize the clock now.

You can adjust your iptables rules to allow NTP traffic to and from proper NTP servers. You can see the right servers in /etc/ntp.conf

About the 'wrong' servers, you can capture some of that traffic to a file using "tcpdump" and then examine the file at your leisure with either "tcpdump" itself or something graphical like "wireshark". Just don't run "wireshark" as root, it's got too many moving parts so to speak.

I have done a little more research and it seems that the ntp port generally causes a lot of issues and suspicious traffic with a lot of ubuntu users.

The screenshot I provided definitely indicates, that those IPs sent multiples bytes and in some cases even KBytes.
Would it even be possible for that to contain malware?

I mean it's a fresh install of Ubuntu, if this port was known to be so dangerous, why would it be opened by default?

don't you mean new Ubuntu users?

The ports are all open to outgoing traffic.

You about the connections on port 123, you might check some server names. You can get a list of the servers with "grep"

That will give you a list of five or six server pools. If you lookup each name in DNS, you will find multiple IP numbers. Then if you look those numbers up individually, you'll see that they resolve to other names as well. Are those names the ones you are seeing in your observations?

Part of running a system is learning what is normal traffic.

1 members found this post helpful.