From owner-freebsd-security@FreeBSD.ORG Sun Jan 12 22:15:11 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2A6251F0 for ; Sun, 12 Jan 2014 22:15:11 +0000 (UTC) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AC68115E0 for ; Sun, 12 Jan 2014 22:15:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from tatsu.wenks.ch (fabian@superman.wenks.ch [IPv6:2001:8a8:1005:1::3]) (authenticated bits=0) by batman.home4u.ch (8.14.5/8.14.5) with ESMTP id s0CMF2nP052646 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 12 Jan 2014 23:15:05 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <52D31418.2000802@wenks.ch> Date: Sun, 12 Jan 2014 23:15:52 +0100 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: UNS: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <21199.26019.698585.355699@hergotha.csail.mit.edu> <52CF8243.7060906@delphij.net> In-Reply-To: <52CF8243.7060906@delphij.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jan 2014 22:15:11 -0000 Hello Xin On 10.01.2014 06:16, Xin Li wrote: > On 1/9/14, 7:14 PM, Garrett Wollman wrote: >> <> said: >> >>> Other than updating ntpd, you can filter out requests to >>> 'monlist' command with 'restrict ... noquery' option that >>> disables some queries for the internal ntpd status, including >>> 'monlist'. >> >> For a "pure" client, I would suggest "restrict default ignore" >> ought to be the norm. (Followed by entries to unrestrict localhost >> over v4 and v6.) > > That would block clock synchronization too, unless one explicitly > unrestrict all NTP servers. With pool.ntp.org, this is not really > practical. > > The current default on head stable branches should work for most people. I just check out through svnweb, but I would suggest the following settings, which will properly work for all versions of ntpd. See also the added 'limited' options, it helps to protect from spoofed amplification attacks too: # by default, don't trust and don't allow modifications # see -> https://support.ntp.org/bugs/show_bug.cgi?id=320 # should be fixed with ntp-4.2.5p178 (or later), eg. -4 / -6 not # needed any more restrict -4 default limited kod notrap nomodify nopeer noquery restrict -6 default limited kod notrap nomodify nopeer noquery restrict default limited kod notrap nomodify nopeer noquery bye Fabian