Hello Xin
On 10.01.2014 06:16, Xin Li wrote:
On 1/9/14, 7:14 PM, Garrett Wollman wrote:
<<On Thu, 09 Jan 2014 21:08:41 +0700, Eugene Grosbein
<[email protected]> said:
Other than updating ntpd, you can filter out requests to
'monlist' command with 'restrict ... noquery' option that
disables some queries for the internal ntpd status, including
'monlist'.
For a "pure" client, I would suggest "restrict default ignore"
ought to be the norm. (Followed by entries to unrestrict localhost
over v4 and v6.)
That would block clock synchronization too, unless one explicitly
unrestrict all NTP servers. With pool.ntp.org, this is not really
practical.
The current default on head stable branches should work for most people.
I just check out through svnweb, but I would suggest the
following settings, which will properly work for all versions of
ntpd. See also the added 'limited' options, it helps to protect
from spoofed amplification attacks too:
# by default, don't trust and don't allow modifications
# see -> https://support.ntp.org/bugs/show_bug.cgi?id=320
# should be fixed with ntp-4.2.5p178 (or later), eg. -4 / -6 not
# needed any more
restrict -4 default limited kod notrap nomodify nopeer noquery
restrict -6 default limited kod notrap nomodify nopeer noquery
restrict default limited kod notrap nomodify nopeer noquery
bye
Fabian
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
