Has my FreeNAS server been hijacked?

[strawdog74]

I just rebooted my router, and noticed some worrying messages :-

Oct 12 10:13:35 freenas kernel: bge0: link state changed to DOWN
Oct 12 10:13:35 freenas ntpd[1596]: sendto(193.40.133.142) (fd=22): No route to host
Oct 12 10:13:38 freenas kernel: bge0: link state changed to UP
Oct 12 10:13:57 freenas kernel: bge0: link state changed to DOWN
Oct 12 10:14:28 freenas ntpd[1596]: sendto(193.219.61.110) (fd=22): No route to host
Oct 12 10:14:38 freenas ntpd[1596]: sendto(193.40.133.142) (fd=22): No route to host
Oct 12 10:14:42 freenas ntpd[1596]: sendto(77.245.18.26) (fd=22): No route to host
Oct 12 10:15:32 freenas ntpd[1596]: sendto(193.219.61.110) (fd=22): No route to host
Oct 12 10:15:43 freenas ntpd[1596]: sendto(193.40.133.142) (fd=22): No route to host
Oct 12 10:15:45 freenas ntpd[1596]: sendto(77.245.18.26) (fd=22): No route to host
Oct 12 10:16:14 freenas kernel: bge0: link state changed to UP

Now, normally I would not be alarmed at the failure of an NTP route to host, but I checked the IP addresses above and none of them relate to the 3 x NTP servers I have setup on FreeNAS (I am using the standard freebsd.pool.ntp.org servers). The IP addresses above are all located in Lithuania & Estonia - another reason for me to worry, as I prefer to have no interaction with these countries. Also, I checked the web and found a vulnerability does exist with the NTP daemon (ntpd).

So, my questions are :-

- Why is my NTP daemon trying to "send" to the above IP addresses?
- Is there a valid reason that I need to have NTP daemon running?
- If not, how do I turn it off (as it seems like an unnecessary security risk)?

 

[jgreco]

The NTP pool project consists of far more than three servers. If you prefer not to have interactions with random parties on the Internet, perhaps you shouldn't use a service that is explicitly designed to pick random servers on the Internet and let you use them for time service. This isn't a FreeNAS issue.

 

[strawdog74]

...perhaps you shouldn't use a service that is explicitly designed to pick random servers on the Internet and let you use them for time service. This isn't a FreeNAS issue.

Sorry, I'm not sure I understand you? I never said it was a FreeNAS issue for a start, and I did ask how to turn the NTP service off, as I don't really need it.

Anyone else want to help?

 

[Stephens]

I don't know the answer to your question about making FreeNAS not use or enable NTP, but what happens if you go to settings-->general and remove the ntp servers? Or better yet, pick one you're comfortable with instead of a random pool. I think that was jgreco's point. would you feel the same, for instance, if instead of shady.location.net it was using time.windows.com (or whatever it is)? It IS nice to have your server keep accurate time.

 

[jgreco]

The original poster's message suggests that there's a misunderstanding of what the NTP pool project is. If you ask for the address record for "0.freebsd.pool.ntp.org", you'll get an answer - but the next time, you'll (probably) get a different answer. About a decade ago, my friends at Netgear wrote some software that accidentally pounded on my friends at the University of Wisconsin, Madison. At the time, there was no abstracted method to obtain NTP time, and Netgear had wired in a hostname or IP address or something, and then flubbed something in their code that made their products essentially launch a denial of service attack against UW's clock. In the decade since, the NTP project has attempted to migrate vendors away from such abuses of specific servers, both by making large pools of Stratum Two servers available (to shoulder the normal load), and by asking vendors to use DNS subdomains that identify the vendor, so urgent issues can at least be mitigated through DNS updates.

If you use the pool service, there's no guarantee that you'll end up with any particular server. However, I believe that it will attempt to find servers "close" to you, rather than ones on the other side of the planet. If you happen to be close to Lithuania and Estonia, and there are quality servers there, you'll likely end up being pointed at them.

If you don't want to use those servers, then by all means, use the NTP servers that your ISP supplies.

 

[strawdog74]

Thanks guys - that all makes sense. Happy I've not been compromised

To avoid polling Central/Eastern Europe for NTP updates, I have changed my servers to the following :-

server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org

As these are more relevant to my location....although I never tried deleting all the servers, in case it caused my server to fail! :p