Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yesterday I installed Lubuntu 16.04 to my HDD and discovered some very strange traffic both incoming and outgoing from the ntp port, listed under 123/udp.
After researching the connecting IPs I found out that most of them correspond to local software businesses and IT firms.
I checked the traffic with iftop, which showed that multiple bytes, in some cases even +1KB, was sent and received to and from those IPs.
The NTP daemon in Lubuntu uses port 123 usually UDP. You need that running to synchronize time. The utility "iftop" might not be what gives the best overview. Try "netstat" instead.
(About blocking it with iptables, that's not necessarily a good idea. But if you really want to block it, you'll need to use -I for insert so that the new rules come at the top of the chain. Since you are planning to block your own traffic you might want to use REJECT instead of DROP at least for the OUTPUT chain.)
The NTP daemon in Lubuntu uses port 123 usually UDP. You need that running to synchronize time. The utility "iftop" might not be what gives the best overview. Try "netstat" instead.
(About blocking it with iptables, that's not necessarily a good idea. But if you really want to block it, you'll need to use -I for insert so that the new rules come at the top of the chain. Since you are planning to block your own traffic you might want to use REJECT instead of DROP at least for the OUTPUT chain.)
Thank you for the reply!
That seems to have worked, thank you.
Are ntp and 123/udp the same thing, or is one a part of the other?
Could only blocking 123/udp still leave some room for other IPs to connect via ntp?
You can try -ntp or -ntlp. Those have nothing to do with NTP per se just that the useful options in this case happen to be -n, -t, -p, and sometimes -l. See the manual page for what those options do:
One thing left to do is to figure out how to synchronize the clock now.
You can adjust your iptables rules to allow NTP traffic to and from proper NTP servers. You can see the right servers in /etc/ntp.conf
About the 'wrong' servers, you can capture some of that traffic to a file using "tcpdump" and then examine the file at your leisure with either "tcpdump" itself or something graphical like "wireshark". Just don't run "wireshark" as root, it's got too many moving parts so to speak.
I have done a little more research and it seems that the ntp port generally causes a lot of issues and suspicious traffic with a lot of ubuntu users.
The screenshot I provided definitely indicates, that those IPs sent multiples bytes and in some cases even KBytes.
Would it even be possible for that to contain malware?
I mean it's a fresh install of Ubuntu, if this port was known to be so dangerous, why would it be opened by default?
You about the connections on port 123, you might check some server names. You can get a list of the servers with "grep"
Code:
grep '^server' /etc/ntp.conf
That will give you a list of five or six server pools. If you lookup each name in DNS, you will find multiple IP numbers. Then if you look those numbers up individually, you'll see that they resolve to other names as well. Are those names the ones you are seeing in your observations?
Part of running a system is learning what is normal traffic.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.