From 2401ade3c48771097456046da3347c884908d3a1 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 3 Jan 2020 10:42:45 +0800 Subject: ntp: restrict NTP mode 6 queries The current NTP server responds to mode 6 queries from any clients. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition. See: https://www.tenable.com/plugins/nessus/97861 https://scan.shadowserver.org/ntpversion/ Update ntp.conf to restrict NTP mode 6 queries. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- meta-networking/recipes-support/ntp/ntp/ntp.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'meta-networking/recipes-support/ntp') diff --git a/meta-networking/recipes-support/ntp/ntp/ntp.conf b/meta-networking/recipes-support/ntp/ntp/ntp.conf index 676e186453..b59003092b 100644 --- a/meta-networking/recipes-support/ntp/ntp/ntp.conf +++ b/meta-networking/recipes-support/ntp/ntp/ntp.conf @@ -14,4 +14,8 @@ driftfile /var/lib/ntp/drift server 127.127.1.0 fudge 127.127.1.0 stratum 14 # Defining a default security setting -restrict default +restrict -4 default notrap nomodify nopeer noquery +restrict -6 default notrap nomodify nopeer noquery + +restrict 127.0.0.1 # allow local host +restrict ::1 # allow local host -- cgit v1.2.3-54-g00ecf