Date: Tue, 14 Jan 2014 15:32:05 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Ferdinand Goldmann <ferdinand.goldmann@jku.at> Cc: freebsd-security@freebsd.org, Xin LI <d@delphij.net>, Palle Girgensohn <girgen@freebsd.org> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <868uuibpne.fsf@nine.des.no> In-Reply-To: <97DABA91-0F6E-4109-992D-A3ADFE799018@jku.at> (Ferdinand Goldmann's message of "Tue, 14 Jan 2014 15:00:27 %2B0100") References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com> <86d2jud85v.fsf@nine.des.no> <97DABA91-0F6E-4109-992D-A3ADFE799018@jku.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Ferdinand Goldmann <ferdinand.goldmann@jku.at> writes: > Dag-Erling Sm=C3=B8rgrav <des@des.no> writes: > > Doesn't "restrict noquery" block monlist in 4.2.6? > I think it should be possible to block it using: > > disable monitor > > seems to work for me. That disables monlist across the board, whereas the restrict mechanism allows you to disable it selectively: restrict default nomodify nopeer noquery notrap restrict localhost not quite as fine-grained, though, since "disable monitor" only disables monlist while "restrict noquery" blocks all ntpq / ntpdc queries. Of course, the default behavior for a sensible NTP implementation should be to ignore everything except time queries. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868uuibpne.fsf>