Hi,
The IP 94.16.114.254 which is member of the pool de.pool.ntp.org is detected as malicious and blocked on our IPS.
Many vendors recognize this IP as malicious VirusTotal
Can this IP be re-evaluated if should be present in the pool?
Regards,
Borut
That IP leads to this server.
Looks to me your ISP uses a too harsh firewall.
As most systems do not consider the IP being problematic.
Typical automatic systems tag IP’s all too often very quickly.
It’s a mailserver, and abuse does happen when you offer it to people.
If all IP’s should be blocked where it happens, then Google and Microsoft wouldn’t have any IP’s left as they are spam-kings of the internet.
My first thought (as a volunteer and not as anyone with any authority) is that the NTP pool should concern itself only with whether the IPs it serves up are suitable as time sources and nothing else. To do more, such as what you suggest, would require coming up with criteria for inclusion or exclusion that don’t have anything to do with NTP.
Whether the NTP pool serves a given IP address does not affect whether or not that IP address can communicate with any other given IP address. i.e. Anyone who is concerned about receiving packets from that IP address will need to firewall it off anyway, regardless of whether the NTP pool would suggest it. Anyone who wants to firewall any given IP address can and should make that decision independent of what the NTP pool thinks about that.
Additionally, I think it is a bad precedent for the NTP pool to start making determinations about the “security” / “safety” status of IP addresses it does not control.
So in summary, I think the NTP pool shouldn’t do anything that’s not related to measuring suitability for timekeeping, and people should continue being responsible for what they choose to firewall off (or not).
</opinion>
I think it is not the job of the pool operators to school security pipples about overgeneralized carpet bans. That being said, your ITsec lemur should know better.
My two cents: I think there could be “common sense” limits (precisely what being an exercise left to the reader). For example, if a known bad actor started running a bunch of pool servers, the admins might feel their contribution is not needed.
But I don’t really want good NTP servers to get deleted every time some cybersecurity clown tries to crack down on people who’ve done nothing wrong.
Edit: A compromised server running 15 different cryptominers is probably not providing the highest quality time service, and is likely to get unplugged anyway.
In my experience, the main reason pool systems get flagged like this is because as well as being in the pool, they are also TOR nodes. Many privacy-focused users on unmetered hosting plans like to do this. But TOR can also originate malicious traffic because it’s just passing on whatever the user of the TOR network is doing.
The only criterion which is relevant to it being in the pool is whether it is providing good time, which it is: pool.ntp.org: Statistics for 94.16.114.254