From owner-freebsd-security Fri Apr 13 10:49: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3097337B43F for ; Fri, 13 Apr 2001 10:49:02 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBQS5500.OZI; Fri, 13 Apr 2001 10:48:41 -0700 Message-ID: <3AD73C0B.6ED45D83@globalstar.com> Date: Fri, 13 Apr 2001 10:48:59 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Drew Derbyshire Cc: Steve Reid , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Drew Derbyshire wrote: > > From: "Steve Reid" > > None of the advisories I've seen released (FreeBSD or otherwise) have > > listed "restrict" directives in ntp.conf as a workaround. Is this > > because it is not sufficient, or are the people writing the advisories > > not aware of it, or other? > > > Restricting by address is subject to spoofing of course, > > IMHO ... I believe the comment in the advisory that specifically points out > spoofing is a problem is why restrict is not listed as workaround. The > official workarounds have to be bulletproof. For machines working only as an NTP "client," you can enter a 'noquery' restrict statement for all machines, restrict default ignore restrict noquery restrict noquery ... restrict 127.0.0.1 noquery Including the servers it queries and localhost. The machine can still sync to the servers (YMMV), and it is safe from this specific vulnerability. Spoofing does not enter into the picture. (Note: Putting 'noquery' on the loopback might be a problem for xntpd, but I have not noticed problems for ntpd.) -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message