Date: Thu, 09 Jan 2014 21:16:51 -0800 From: Xin Li <delphij@delphij.net> To: Garrett Wollman <wollman@bimajority.org>, Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-security@freebsd.org, Palle Girgensohn <girgen@FreeBSD.org> Subject: Re: UNS: Re: NTP security hole CVE-2013-5211? Message-ID: <52CF8243.7060906@delphij.net> In-Reply-To: <21199.26019.698585.355699@hergotha.csail.mit.edu> References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org> <52CEAD69.6090000@grosbein.net> <21199.26019.698585.355699@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 1/9/14, 7:14 PM, Garrett Wollman wrote: > <<On Thu, 09 Jan 2014 21:08:41 +0700, Eugene Grosbein > <eugen@grosbein.net> said: > >> Other than updating ntpd, you can filter out requests to >> 'monlist' command with 'restrict ... noquery' option that >> disables some queries for the internal ntpd status, including >> 'monlist'. > > For a "pure" client, I would suggest "restrict default ignore" > ought to be the norm. (Followed by entries to unrestrict localhost > over v4 and v6.) That would block clock synchronization too, unless one explicitly unrestrict all NTP servers. With pool.ntp.org, this is not really practical. The current default on head stable branches should work for most people. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSz4JDAAoJEJW2GBstM+nsBLgP/0OeSbaXbMlKduDYfZcsTNrL 1jbS3HFCBQCX96CMaYzFOvak6FBmYu5VMP0kX3OOXCvOEP0onraXOsiwxsjh+Aqw HA6JkqWlR4Qlrlnje3JAnwwS84cK+EM7HcPuvZ1aGVip4wFlxZo5d4MT48YwJfH9 fO6KOiXABAc0RLM9RDHx5P485dlRem6IVSsT2IIStPfoff0vYXoa5kKP5MI+6sOR 5NUsTKANxcGDfpLt/pGt2iTG5rOoLH+38dGqQ7803C8fG4QvO8hz9PpRaG4/tM+L LgcMPueL7aVmyRQcoAY2i2U/FSGyqNg7uTfUc4WHWsb8uj0Pmcqc3U5VXO4keE1a u8WFqL39p1lcrunmu1UWnzpe46GbQGY3CeqPm9glLs48Vi5vLfeEjPlYnEsu9YM6 pVbznQPgHSzPVLW5AAmGaKq/KO/2s5dsPHRH7Z8V2beB+/PQX3hyG+YQUCJLz12K 35TdcvTSsIbtSBNKNcJIV5OF60XoSzuveBOwM9EPhRfF0BPJElvZjtz09OevIkZK urvzybV1sV6T1qi9je1lhF6SGcS/aolejfNWOQrFq2ZTny1pyKigi5Yz8i5yhUI7 s2/sUE7YjkL0GgwTwuAqjW4lGBnSsdCVgx7tS1SnnWoyXdSUj+8dRiZApwMxXdN6 LZFUkUIAt91WUGTjwM8v =V8xs -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52CF8243.7060906>