NTP security hole CVE-2013-5211?
Dag-Erling Smørgrav
des at des.no
Tue Jan 14 14:32:10 UTC 2014
Ferdinand Goldmann <ferdinand.goldmann at jku.at> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > Doesn't "restrict noquery" block monlist in 4.2.6?
> I think it should be possible to block it using:
>
> disable monitor
>
> seems to work for me.
That disables monlist across the board, whereas the restrict mechanism
allows you to disable it selectively:
restrict default nomodify nopeer noquery notrap
restrict localhost
not quite as fine-grained, though, since "disable monitor" only disables
monlist while "restrict noquery" blocks all ntpq / ntpdc queries.
Of course, the default behavior for a sensible NTP implementation should
be to ignore everything except time queries.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list