UNS: Re: NTP security hole CVE-2013-5211?
Fabian Wenk
fabian at wenks.ch
Sun Jan 12 22:15:11 UTC 2014
Hello Xin
On 10.01.2014 06:16, Xin Li wrote:
> On 1/9/14, 7:14 PM, Garrett Wollman wrote:
>> <<On Thu, 09 Jan 2014 21:08:41 +0700, Eugene Grosbein
>> <eugen at grosbein.net> said:
>>
>>> Other than updating ntpd, you can filter out requests to
>>> 'monlist' command with 'restrict ... noquery' option that
>>> disables some queries for the internal ntpd status, including
>>> 'monlist'.
>>
>> For a "pure" client, I would suggest "restrict default ignore"
>> ought to be the norm. (Followed by entries to unrestrict localhost
>> over v4 and v6.)
>
> That would block clock synchronization too, unless one explicitly
> unrestrict all NTP servers. With pool.ntp.org, this is not really
> practical.
>
> The current default on head stable branches should work for most people.
I just check out through svnweb, but I would suggest the
following settings, which will properly work for all versions of
ntpd. See also the added 'limited' options, it helps to protect
from spoofed amplification attacks too:
# by default, don't trust and don't allow modifications
# see -> https://support.ntp.org/bugs/show_bug.cgi?id=320
# should be fixed with ntp-4.2.5p178 (or later), eg. -4 / -6 not
# needed any more
restrict -4 default limited kod notrap nomodify nopeer noquery
restrict -6 default limited kod notrap nomodify nopeer noquery
restrict default limited kod notrap nomodify nopeer noquery
bye
Fabian
More information about the freebsd-security
mailing list