ntp: restrict NTP mode 6 queries

The current NTP server responds to mode 6 queries from any clients. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition. See: https://www.tenable.com/plugins/nessus/97861 https://scan.shadowserver.org/ntpversion/ Update ntp.conf to restrict NTP mode 6 queries. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Yi Zhao <yi.zhao@windriver.com> 2020-01-03 10:42:45 +0800
committer: Khem Raj <raj.khem@gmail.com> 2020-01-03 13:56:00 -0800
commit: 2401ade3c48771097456046da3347c884908d3a1 (patch)
tree: c07be1cc4516c5b9ad7ddeddd2eed3f62e7dcfe1
parent: 5b15fb9c839a276220651946efd1d1a303ff0d45 (diff)
download: meta-openembedded-contrib-2401ade3c48771097456046da3347c884908d3a1.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp.conf b/meta-networking/recipes-support/ntp/ntp/ntp.conf
index 676e186453..b59003092b 100644
--- a/meta-networking/recipes-support/ntp/ntp/ntp.conf
+++ b/meta-networking/recipes-support/ntp/ntp/ntp.conf
@@ -14,4 +14,8 @@ driftfile /var/lib/ntp/drift
 server 127.127.1.0
 fudge 127.127.1.0 stratum 14
 # Defining a default security setting
-restrict default
+restrict -4 default notrap nomodify nopeer noquery
+restrict -6 default notrap nomodify nopeer noquery
+
+restrict 127.0.0.1    # allow local host
+restrict ::1          # allow local host
author	Yi Zhao <yi.zhao@windriver.com>	2020-01-03 10:42:45 +0800
committer	Khem Raj <raj.khem@gmail.com>	2020-01-03 13:56:00 -0800
commit	2401ade3c48771097456046da3347c884908d3a1 (patch)
tree	c07be1cc4516c5b9ad7ddeddd2eed3f62e7dcfe1
parent	5b15fb9c839a276220651946efd1d1a303ff0d45 (diff)
download	meta-openembedded-contrib-2401ade3c48771097456046da3347c884908d3a1.tar.gz