Default configuration of ntp-4.2.6p5-9 is vulnerable to DDoS participation
Bartosz Lis
bartoszl at ics.p.lodz.pl
Fri Oct 3 13:54:11 CEST 2014
Hello,
See: https://bugzilla.redhat.com/show_bug.cgi?id=1047854
"users can disable monitor functionality using 'disable monitor' command in
the /etc/ntp.conf. Note that use of 'restrict' command with 'limited' flag
also enables monitor functionality even when 'disable monitor' command is
used."
I suggest updating ntp.conf file found in ntp.git project with the following
patch:
----8<----8<----
--- ntp.conf-orig 2014-10-03 13:35:16.000000000 +0200
+++ ntp.conf 2014-10-03 13:49:43.000000000 +0200
@@ -13,10 +13,15 @@ driftfile /var/lib/ntp/drift
# ASCII file pub/leap-seconds.
leapfile /etc/ntp/ntp.leapseconds
+# !! Important !!
+# !! To not participate in NTP based DDoS attacks keep the following line
+# !! and do not use ``limited'' option in ``restrict'' sentences.
+disable monitor
+
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
-restrict default kod limited nomodify notrap nopeer noquery
-restrict -6 default kod limited nomodify notrap nopeer noquery
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
----8<----8<----
--
Bartosz Lis
More information about the pld-devel-en
mailing list