diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2020-01-03 10:42:45 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2020-01-03 13:56:00 -0800 |
commit | 2401ade3c48771097456046da3347c884908d3a1 (patch) | |
tree | c07be1cc4516c5b9ad7ddeddd2eed3f62e7dcfe1 | |
parent | 5b15fb9c839a276220651946efd1d1a303ff0d45 (diff) | |
download | meta-openembedded-contrib-2401ade3c48771097456046da3347c884908d3a1.tar.gz |
ntp: restrict NTP mode 6 queries
The current NTP server responds to mode 6 queries from any clients.
Devices that respond to these queries have the potential to be used in
NTP amplification attacks. An unauthenticated, remote attacker could
potentially exploit this, via a specially crafted mode 6 query, to cause
a reflected denial of service condition.
See: https://www.tenable.com/plugins/nessus/97861
https://scan.shadowserver.org/ntpversion/
Update ntp.conf to restrict NTP mode 6 queries.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r-- | meta-networking/recipes-support/ntp/ntp/ntp.conf | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp.conf b/meta-networking/recipes-support/ntp/ntp/ntp.conf index 676e186453..b59003092b 100644 --- a/meta-networking/recipes-support/ntp/ntp/ntp.conf +++ b/meta-networking/recipes-support/ntp/ntp/ntp.conf @@ -14,4 +14,8 @@ driftfile /var/lib/ntp/drift server 127.127.1.0 fudge 127.127.1.0 stratum 14 # Defining a default security setting -restrict default +restrict -4 default notrap nomodify nopeer noquery +restrict -6 default notrap nomodify nopeer noquery + +restrict 127.0.0.1 # allow local host +restrict ::1 # allow local host |