Date: Sun, 12 Jan 2014 23:15:52 +0100 From: Fabian Wenk <fabian@wenks.ch> To: freebsd-security@freebsd.org Subject: Re: UNS: Re: NTP security hole CVE-2013-5211? Message-ID: <52D31418.2000802@wenks.ch> In-Reply-To: <52CF8243.7060906@delphij.net> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <21199.26019.698585.355699@hergotha.csail.mit.edu> <52CF8243.7060906@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Xin On 10.01.2014 06:16, Xin Li wrote: > On 1/9/14, 7:14 PM, Garrett Wollman wrote: >> <<On Thu, 09 Jan 2014 21:08:41 +0700, Eugene Grosbein >> <eugen@grosbein.net> said: >> >>> Other than updating ntpd, you can filter out requests to >>> 'monlist' command with 'restrict ... noquery' option that >>> disables some queries for the internal ntpd status, including >>> 'monlist'. >> >> For a "pure" client, I would suggest "restrict default ignore" >> ought to be the norm. (Followed by entries to unrestrict localhost >> over v4 and v6.) > > That would block clock synchronization too, unless one explicitly > unrestrict all NTP servers. With pool.ntp.org, this is not really > practical. > > The current default on head stable branches should work for most people. I just check out through svnweb, but I would suggest the following settings, which will properly work for all versions of ntpd. See also the added 'limited' options, it helps to protect from spoofed amplification attacks too: # by default, don't trust and don't allow modifications # see -> https://support.ntp.org/bugs/show_bug.cgi?id=320 # should be fixed with ntp-4.2.5p178 (or later), eg. -4 / -6 not # needed any more restrict -4 default limited kod notrap nomodify nopeer noquery restrict -6 default limited kod notrap nomodify nopeer noquery restrict default limited kod notrap nomodify nopeer noquery bye Fabian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52D31418.2000802>