Date: Thu, 20 Mar 2014 13:04:35 -0700 From: Charles Swiger <cswiger@mac.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com> In-Reply-To: <44680.1395343983@server1.tristatelogic.com> References: <44680.1395343983@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi-- On Mar 20, 2014, at 12:33 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote: > Here is what I am seeing now in response to an ntpdc "peers" query. I am > not really all that familiar with this stuff, so if anybody else here can > tell me if this looks messed up or not, I'd sure appreciate it. > > > remote local st poll reach delay offset disp > ======================================================================= > =nist.netservice 69.62.255.118 16 1024 0 0.00000 0.000000 3.99217 > =rook.slash31.co 69.62.255.118 16 1024 0 0.00000 0.000000 3.99217 > =96.44.142.5 69.62.255.118 16 1024 0 0.00000 0.000000 3.99217 Reachability score of 0 means you've blocked the communications. > Of course, if this *is* messed up, then I guess that I'll have to remove > my firewall rule, and diddle my /etc/ntp.conf file at the same time, in > order to make sure that the Evil Ones don't come back and use & abuse me > again. OK, although you're making this more complicated than it needs to be. If you don't want to provide NTP service to the outside world, leave your existing deny rule in place but add permit rules to allow UDP traffic to and from the NTP servers which you want to sync time from. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?742A1A10-15BF-433A-8693-CA2DD1DE0501>