Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NTP package upgrade to 2.4.8p9

    Installation and Upgrades
    4
    7
    1481
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bharath last edited by

      Hi,

      I'm a newbie to Pfsense (and my first post) however have been using it as a virtual router for separately networks in my env.
      I'm using : 2.3.2-RELEASE on a VM Image.
      My WAN IP gets scanned and got a report that the NTP version ìs subjected to: "NTP server is affected by a denial of service vulnerability".

      So I looked around a lot in different forums/sites etc to try and update the NTP server on my system (ntpd 4.2.8p8@1.3265) to 4.2.8p9. I have downloaded the 4.2.8p9.gz file but not sure how to install it (and whether I need to MAKE it). Not very savvy in that area either.

      I even modified the repos (mentioned in other PfSense links) to temporarily enable FreeBSD to see if I can update it from there but no luck when I try to run pkg update or pkg install ntp.
      I tried the pkg_add command but it is not found.

      Can someone help me with this?

      Thanks,
      Bharath

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        You should be able to manually add it from the freebsd packages
        http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/ntp-4.2.8p9_1.txz

        I will try doing it on my install.. Post back the instruction..

        edit:  Ok not going to recommend you do this..  Best solution would be to request that pfsense add this to their repo..

        So you can grab the above, and seems you also need
        http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/libwww-5.4.0_6.txz

        so use fetch with the above urls - then install with

        pkg install ntp-4.2.8p9_1.txz
        pkg install libwww-5.4.0_6.txz

        then you will see that your ntp is updated

        [2.3.2-RELEASE][root@pfsense.local.lan]/tmp: ntpd –help
        ntpd - NTP daemon program - Ver. 4.2.8p9
        Usage:  ntpd [ - <flag>[<val>] | –<name>[{=| }<val>] ]…
                        [ <server1>… <servern>]

        Again do this at your own risk, normally bad idea to install packages on your own..

        What I highly suggest if your going to do it, since your on a VM, take a snapshot!!!  then if update of the  "libmd5.so.0" breaks anything you can just rollback

        edit: my links are to 64bit, for for some odd reason your on 32bit do not use those links.</servern></server1></val></name></val></flag>

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned last edited by

          To state the obvious, you should NOT open NTP on your WAN in the first place.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            ^ agreed!!  Unless you fully know what your doing ;)  I wouldn't host ntp to the public internet off my firewall for example.. But I do serve up ntp to ntp pool from stratum 1 ntp server I run inside..

            But maybe pfsense is internal to his network, and wan on his pfsense is not really "public"

            "been using it as a virtual router for separately networks in my env. "

            Maybe his has some internal security process that is scanning their internal devices and giving him grief.. If this is an internal ntp server I really don't the issues with p8 being a problem..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis last edited by

              Note that 2.3.3-DEVELOPMENT and 2.4-BETA have p9:

              [2.3.3-DEVELOPMENT][root@pfSense.localdomain]/root: ntpd --version
              ntpd 4.2.8p9@1.3265-o Mon Jan  2 18:58:30 UTC 2017 (1)
              
              
              [2.4.0-BETA][root@pfSense.localdomain]/root: ntpd --version
              ntpd 4.2.8p9@1.3265-o Mon Jan  2 18:55:14 UTC 2017 (1)
              
              

              Of course that is not much help if you are not in a position to update to a DEV/BETA.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • B
                bharath last edited by

                Thank you guys. Yes, both comments are valid:

                To state the obvious, you should NOT open NTP on your WAN in the first place.

                But maybe pfsense is internal to his network, and wan on his pfsense is not really "public"

                Yes the WAN is not public however IT Nessus scans can see it as the machine is 'public' to them. I've modified the NTP settings and have enabled NTP only on the LAN interface and after rescanning the system the scan doesn't show the security hole anymore.

                The reason I wanted to patch it myself is to understand how it can be done and moreover actually plug the hole.
                I have already taken a snapshot of the PfSense VM so I will try with the URL mentioned to install 4.2.8p9.

                Thanks again
                Bharath

                1 Reply Last reply Reply Quote 0
                • B
                  bharath last edited by

                  @ johnpoz

                  Thank you for the steps to download/install the patch. It worked perfectly! I didn't know of that URL to fetch the FreeBSD packages although I came across similar ones.

                  Bharath

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post