UNS: Re: NTP security hole CVE-2013-5211?
Xin Li
delphij at delphij.net
Fri Jan 10 05:16:54 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 1/9/14, 7:14 PM, Garrett Wollman wrote:
> <<On Thu, 09 Jan 2014 21:08:41 +0700, Eugene Grosbein
> <eugen at grosbein.net> said:
>
>> Other than updating ntpd, you can filter out requests to
>> 'monlist' command with 'restrict ... noquery' option that
>> disables some queries for the internal ntpd status, including
>> 'monlist'.
>
> For a "pure" client, I would suggest "restrict default ignore"
> ought to be the norm. (Followed by entries to unrestrict localhost
> over v4 and v6.)
That would block clock synchronization too, unless one explicitly
unrestrict all NTP servers. With pool.ntp.org, this is not really
practical.
The current default on head stable branches should work for most people.
Cheers,
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJSz4JDAAoJEJW2GBstM+nsBLgP/0OeSbaXbMlKduDYfZcsTNrL
1jbS3HFCBQCX96CMaYzFOvak6FBmYu5VMP0kX3OOXCvOEP0onraXOsiwxsjh+Aqw
HA6JkqWlR4Qlrlnje3JAnwwS84cK+EM7HcPuvZ1aGVip4wFlxZo5d4MT48YwJfH9
fO6KOiXABAc0RLM9RDHx5P485dlRem6IVSsT2IIStPfoff0vYXoa5kKP5MI+6sOR
5NUsTKANxcGDfpLt/pGt2iTG5rOoLH+38dGqQ7803C8fG4QvO8hz9PpRaG4/tM+L
LgcMPueL7aVmyRQcoAY2i2U/FSGyqNg7uTfUc4WHWsb8uj0Pmcqc3U5VXO4keE1a
u8WFqL39p1lcrunmu1UWnzpe46GbQGY3CeqPm9glLs48Vi5vLfeEjPlYnEsu9YM6
pVbznQPgHSzPVLW5AAmGaKq/KO/2s5dsPHRH7Z8V2beB+/PQX3hyG+YQUCJLz12K
35TdcvTSsIbtSBNKNcJIV5OF60XoSzuveBOwM9EPhRfF0BPJElvZjtz09OevIkZK
urvzybV1sV6T1qi9je1lhF6SGcS/aolejfNWOQrFq2ZTny1pyKigi5Yz8i5yhUI7
s2/sUE7YjkL0GgwTwuAqjW4lGBnSsdCVgx7tS1SnnWoyXdSUj+8dRiZApwMxXdN6
LZFUkUIAt91WUGTjwM8v
=V8xs
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list