NTP activity blocked - alternate configuration?

okellyro · February 5, 2020, 12:13pm

Hi there

My firewall blocked NTP communication to 207.244.70.35 which HUBITAT was trying to communicate to yesterday.. it appears to be a NTP call and it is blocked because the server is classified as being the source of malware and proxy attack. Think this classification is recent as this is the first alert I’ve seen on this ( assuming the hubitat updates its time regular )

Am wondering if this is an issue requiring I adjust the NTp address on the Hubitat or is it one of many sources that the Hubitat addresses ?

Thanks

okellyro · February 5, 2020, 12:21pm

Ps looking at the reason for the firewall block it looks like that server is an email / spam relay with high volumes of email and some are malicious ... which basically dings its reputation .... Not an issue for an NTP call ... that said .... would like to remove it from the Hubitat as an NTP source and add a more trusted source ( if required )

okellyro · February 5, 2020, 1:48pm

Found an NTP device and using that ... however would like to remove that NTP config from the Hubitat to stop future comms to the blocked NTP server

Terk · February 5, 2020, 3:46pm

As far as I know there is currently no way to change the baked in NTP address the hub goes to and the device you found is the only alternative which lets you use an internal server as well if you want.

ogiewon · February 5, 2020, 3:51pm

Some routers allow you to trap and redirect all NTP traffic to a local NTP server. My Asus router running AsusWRT-Merlin supports this.

@okellyro Have you reported this finding to Hubitat Support at support@hubitat.com? If that server is on the naughty list, they would probably like to remove it is as well. Although I am guessing that they are actually hitting a DNS name (e.g. pool.ntp.org) that resolves to multiple addresses for load balancing and reliability.

okellyro · February 5, 2020, 6:14pm

Reported now .... and good point on the NTp redirect

okellyro · February 5, 2020, 6:15pm

Ps : Actually like the NTP device approach ....

Eric.C.Miller · February 5, 2020, 6:28pm

It seems very odd that they would be using that address for ntp.

okellyro · February 5, 2020, 11:23pm

I don’t know ....

Here is the log entry

Destination Information

Site 207.244.70.35 is located in United States.
Address block 207.244.64.0/18 is owned by organization Leaseweb USA, Inc., located in Manassas, United States
Destination port: 123- Network Time Protocol (NTP), used for time synchronization

Security Intelligence
Site 207.244.70.35 is marked as malware , Proxy attack ....

GatVlieg · February 6, 2020, 12:50am

Could also be that there is absolutely nothing wrong with Hubitat, the NTP call, the NTP address etc. etc. Instead, the problem lies with the Firewall & misconfiguration...
Just saying.

okellyro · February 6, 2020, 1:21am

Possible the FW is the problem however it verifies thru an online Cisco intelligence service which aggregates various information and reports

Looks like that server has been recorded by 2 different black list services and that it’s spam volumes are increasing and reputation decreasing ... never good that

ritchierich · February 6, 2020, 4:01am

You can set the hubs date via app and driver. Maybe this community app will help you from @dan.t:

okellyro · February 6, 2020, 4:11am

Thanks man ... that’s exactly what was needed... have it up and running using time.google.com and it’s kicking along perfectly