Sun ZFS Storage 7320
 
Oracle ZFS Storage Appliance Racked System ZS4-4
 
Oracle ZFS Storage ZS5-4
 
Sun Storage 7210 Unified Storage System
 
Oracle ZFS Storage ZS3-BA
 
Oracle ZFS Storage ZS3-2
 
Sun Storage 7410 Unified Storage System
 
Oracle ZFS Storage ZS3-4
 
Sun ZFS Storage 7420
 
Oracle ZFS Storage ZS5-2
 
Oracle ZFS Storage ZS4-4
 
Sun Storage 7310 Unified Storage System
 
Sun Storage 7110 Unified Storage System
 
Sun ZFS Storage 7120
 

PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
 

In this Document

Goal

Solution

How to disable monlist

How to Confirm an Authorization Key

How to Setup an Authorization Key

Confirm on the NAS that NTP is configured with a authkey

Examples of Auth Keys

References

References

Created from <SR 3-8427504791>

Applies to:

Goal

The NTP client has a vulnerability to NTP spoofing.

Solution

This is a NTP server side issue - NTP clients within the subnet should be setup with Auth Keys to the NTP server.

The NTP server (public-facing IP address) set the “noquery” directive to avoid spoofing the NTP IP address.

How to disable monlist

Disable “monlist” within the NTP server

To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:

Start the NTP daemon with noquery enabled in the NTP conf file.

Solaris /etc/inet/ntp.conf

NOTE: While possible, specifying the password on ntpdc's command line like  ntpdc -c "keyid 1" -c "passwd pw" -c "other_command"  is NOT recommended.

How to Confirm an Authorization Key

How to Setup an Authorization Key

To associate authentication keys with servers via the CLI, the serverkeys property should be set to a list of values in which each value is a key to be associated with the corresponding server in the servers property.

If a server does not use authentication, the corresponding server key should be set to 0.

For example, to use the key created to authenticate the server "carp":

MD5 A 1-to-8 character ASCII string, using the MD5 authentication scheme. md5secret

Confirm on the NAS that NTP is configured with a authkey

Examples of Auth Keys

After the keys have been specified, an NTP server can be associated with a particular private key.

For a given key, all of the key number, key type and private key values must match between client and server for an NTP server to be authenticated.

References

The 'HELP' in the NAS Brower User Interface (BUI) can help with setting up NTP keys
https:// hostname :215/#configuration/services=ntp
https:// hostname :215/wiki/index.php/Configuration:Services:NTP
NTP Attacks CVE-2013-5211 - http://www.us-cert.gov/ncas/alerts/TA14-013A

Sun Storage 7000 Unified Storage System: Configuring the ZFSSA for Active Directory (Doc ID 1402154.1)
Configuration / Services / NTP

  Server Settings: If NTP is configured on the network, enter the server IP and authorization keys if applicable. See MSKB Document #816042 (http://support.microsoft.com/kb/816042) for details on how to configure NTP on a Windows Server. Active Directory will not tolerate a time difference of more than five minutes (by default). It is strongly recommended that NTP is used to keep the server time of the ZFSSA synchronized with the AD servers.

  Clock: If NTP is not available, determine the current time of the Domain Controller(s), and manually set the time of the system being used for administration to this time. Click the "sync" button in the BUI to set the server time to match the administration workstation time. Note that this is a one-time setting, and if either the ZFSSA clock or the Domain Controller clocks drift out of sync Active Directory connectivity may be lost.


Sun Storage 7000 Unified Storage System: How to sync to an NTP Server that is behind (in time) the NAS Appliance (Doc ID 1561520.1)

***Checked for relevance on 25-MAY-2018***

References

This solution has no attachment