Date: Fri, 14 Mar 2014 21:30:30 -0600 From: Brett Glass <brett@lariat.org> To: Dimitry Andric <dim@FreeBSD.org> Cc: freebsd-security@FreeBSD.org, Fabian Wenk <fabian@wenks.ch> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <201403150335.VAA27118@mail.lariat.net> In-Reply-To: <106CC1B8-932F-44CD-B307-C5B470359ABD@FreeBSD.org> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net> <106CC1B8-932F-44CD-B307-C5B470359ABD@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:27 PM 3/14/2014, Dimitry Andric wrote: >It looks like you missed >http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc >then? Which was released on Jan 14, and has all the instructions >how to patch your system. I did not miss the advisory. The "solution" given in the advisory -- patching ntpd -- is necessary but not sufficient. The configuration file must also be changed, because the system will still serve as a relay for attacks if the default ntp.conf (or one like it) is used. The lines # Stop amplification attacks via NTP servers disable monitor restrict default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict 127.127.1.0 # Note: Comment out these lines on machines without IPv6 restrict -6 default kod nomodify notrap nopeer noquery restrict -6 ::1 Note that these lines are similar to those in the "workaround" section of the advisory but add the command "disable monitor" and add the "kod" option (which may quell queries from some exploited systems). --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403150335.VAA27118>