Minimizing Unexpected NTP server alerts

LamaZ

Is your server constantly port scanned for open/vulnerable NTP (UDP/123) servers which generates alerts?

I am literally scanned almost every couple minutes by hostile countries which generate an insane amount of "Unexpected NTP server" alerts. I finally did something about it. Port scans should only be in one direction, so all I had to do is check if the flow is bidirectional. Meaning, I really want to know IF somebody on my network answered.

Modify /var/db/ntopng/plugins0/callbacks/interface/flow/unexpected_ntp.lua as follows:

--- /var/db/ntopng/plugins0/callbacks/interface/flow/unexpected_ntp.lua.original	2021-04-16 05:54:16.434988000 -0400
+++ /var/db/ntopng/plugins0/callbacks/interface/flow/unexpected_ntp.lua	2021-04-16 06:06:40.935610000 -0400
@@ -67,7 +67,7 @@
 	 end
       end
 
-      if ok == 0 then
+      if ok == 0 and flow.isBidirectional() then
 	 flow.triggerStatus(
 	    flow_consts.status_types.status_unexpected_ntp.create(
 	       flow_consts.status_types.status_unexpected_ntp.alert_severity,

I restarted ntopng because I couldn't figure out how to get it to reload a single user script.

Details:
Added a call to flow.isBidirectional() on line 70 which is the result of checking against the known/expected NTP servers before generating the alert.

Enjoy less alerts!

-LamaZ

LamaZ

Just upgraded to 21.05. This still works after replying the patch. I just figured out that the file is actually somewhere else and then likely gets copied to the /var folder.

/usr/local/share/ntopng/scripts/plugins/alerts/security/unexpected_ntp/user_scripts/flow/unexpected_ntp.lua