Date: Fri, 27 Dec 2013 16:16:24 -0700 From: Ian Lepore <ian@FreeBSD.org> To: Xin LI <delphij@FreeBSD.org> Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r259973 - head/etc Message-ID: <1388186184.1158.156.camel@revolution.hippie.lan> In-Reply-To: <201312272306.rBRN6GON067322@svn.freebsd.org> References: <201312272306.rBRN6GON067322@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2013-12-27 at 23:06 +0000, Xin LI wrote: > Author: delphij > Date: Fri Dec 27 23:06:15 2013 > New Revision: 259973 > URL: http://svnweb.freebsd.org/changeset/base/259973 > > Log: > Tighten default restrictions for ntpd(8) server and provide a link > to NTP access restriction documentation. > > The new default restrictions would allow only time queries from a > remote system and will KoD all other requests, but still allow > localhost to do make all requests. > > These restrictions are also recommended for all Internet-facing > public NTP servers. > > This changeset is intended for an instant MFC to stable/10 and > releng/10.0. > > Modified: > head/etc/ntp.conf > > Modified: head/etc/ntp.conf > ============================================================================== > --- head/etc/ntp.conf Fri Dec 27 23:00:56 2013 (r259972) > +++ head/etc/ntp.conf Fri Dec 27 23:06:15 2013 (r259973) > @@ -17,7 +17,7 @@ > # users with a static IP and good upstream NTP servers to add a server > # to the pool. See http://www.pool.ntp.org/join.html if you are interested. > # > -# The option `iburst' is used for faster initial synchronisation. > +# The option `iburst' is used for faster initial synchronization. > # > server 0.freebsd.pool.ntp.org iburst > server 1.freebsd.pool.ntp.org iburst > @@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst > # server 2.CC.pool.ntp.org iburst > > # > -# Security: Only accept NTP traffic from the following hosts. > -# The following configuration example only accepts traffic from the > -# above defined servers. > +# Security: > +# > +# By default, only allow time queries and block all other requests > +# from unauthenticated clients. > +# > +# See http://support.ntp.org/bin/view/Support/AccessRestrictions > +# for more information. > +# > +restrict default kod nomodify notrap nopeer noquery > +restrict -6 default kod nomodify notrap nopeer noquery > +# > +# Alternatively, the following rules would block all unauthorized access. > +# > +#restrict default ignore > +#restrict -6 default ignore > +# > +# In this case, all remote NTP time servers also need to be explicitly > +# allowed or they would not be able to exchange time information with > +# this server. > # This comment is incorrect. To quote the ntpd docs for nopeer: Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. In other words, peer relationships which are explicitly configured in the ntp.conf file(s) are not affected, the nopeer option only prevents *packets* that would create a new peer association. > # Please note that this example doesn't work for the servers in > # the pool.ntp.org domain since they return multiple A records. > -# (This is the reason that by default they are commented out) > # > -#restrict default ignore > #restrict 0.pool.ntp.org nomodify nopeer noquery notrap > #restrict 1.pool.ntp.org nomodify nopeer noquery notrap > #restrict 2.pool.ntp.org nomodify nopeer noquery notrap The foregoing implies that these lines aren't needed. > -#restrict 127.0.0.1 > -#restrict -6 ::1 > -#restrict 127.127.1.0 > +# > +# The following settings allow unrestricted access from the localhost > +restrict 127.0.0.1 > +restrict -6 ::1 > +restrict 127.127.1.0 > > # > # If a server loses sync with all upstream servers, NTP clients -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1388186184.1158.156.camel>