Minimizing Unexpected NTP server alerts
-
Is your server constantly port scanned for open/vulnerable NTP (UDP/123) servers which generates alerts?
I am literally scanned almost every couple minutes by hostile countries which generate an insane amount of "Unexpected NTP server" alerts. I finally did something about it. Port scans should only be in one direction, so all I had to do is check if the flow is bidirectional. Meaning, I really want to know IF somebody on my network answered.
Modify
/var/db/ntopng/plugins0/callbacks/interface/flow/unexpected_ntp.luaas follows:--- /var/db/ntopng/plugins0/callbacks/interface/flow/unexpected_ntp.lua.original 2021-04-16 05:54:16.434988000 -0400 +++ /var/db/ntopng/plugins0/callbacks/interface/flow/unexpected_ntp.lua 2021-04-16 06:06:40.935610000 -0400 @@ -67,7 +67,7 @@ end end - if ok == 0 then + if ok == 0 and flow.isBidirectional() then flow.triggerStatus( flow_consts.status_types.status_unexpected_ntp.create( flow_consts.status_types.status_unexpected_ntp.alert_severity,I restarted ntopng because I couldn't figure out how to get it to reload a single user script.
Details:
Added a call to flow.isBidirectional() on line 70 which is the result of checking against the known/expected NTP servers before generating the alert.Enjoy less alerts!
-LamaZ
-
Just upgraded to 21.05. This still works after replying the patch. I just figured out that the file is actually somewhere else and then likely gets copied to the /var folder.
/usr/local/share/ntopng/scripts/plugins/alerts/security/unexpected_ntp/user_scripts/flow/unexpected_ntp.lua