Date: Fri, 21 Mar 2014 22:28:23 +0100 From: Remko Lodder <remko@FreeBSD.org> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <8F3083F1-3A20-4FEC-9969-F9968D87569E@FreeBSD.org> In-Reply-To: <51381.1395429637@server1.tristatelogic.com> References: <51381.1395429637@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 21 Mar 2014, at 20:20, Ronald F. Guilmette <rfg@tristatelogic.com> = wrote: >=20 > In message <AD479A36-993D-442A-AA07-AB52D8198624@FreeBSD.org>,=20 > Remko Lodder <remko@FreeBSD.org> wrote: >=20 >> Reading the mails from this thread leads me to believe that there is = no >> stateful firewall concept in place? >=20 > I am not the poster to whom you were responding (info@rit.lt), however > speaking only for myself I will confess that yes, in my case at least, > although I have used ipfw for many years, I have never (until now) = found > any compelling need to either understand or make use of any of ipfw's > stateful capabilities. Hi Ronald, That is =91fine=92 ofcourse but makes you vulnerable to the =91crap=92 = that is hitting your doorway now. Rest assured that you are already doing a great step = in at least filtering your machines and as you demonstrate you are active on the internet to get the information you need to do it properly. That is = already way better then a lot of other people. A question that pops my mind: Do you think we (security people) needed = to be more verbose about why this might have been a good idea? or could we = have done a better job in reasoning why stateful has it=92s advantages? >=20 >> In my believing it is so that if you do not filter traffic, you are >> making a deliberate choice to let everyone smack your service(s). >=20 > I personally *do* most certainly filter traffic, and have done, since > I first connected *any* machine of mine to the Internet. I can assure > yoy that I never made any deliberate choice to let everyone smack me > around. Nontheless, that clearly did happen, eventually, when = evil-doers > decided, relatively recently, to use & abuse me as an NTP reflector, = but > my participation in this was not in any sense deliberate on my part, = and > arose strictly out of ignorance, for which I am suitably humbled and > apologetic. Let me offer my apologies, I did not want to make you feel ignorant or = anything. What I meant is that everyone should filter on their machines, or if = possible even ahead of their machines at the gateways. Stopping traffic you do = not want should occur at the border so that it never ever reaches the machines it = is not supposed to reach. People do make a living in =91pestering=92 you and I (and many others) = and now smacking your NTP server(s) is gaining them something, or they wouldn=92t = just do it. My best advice in this case might be that only allowing in the networks = you want to have in on your NTP server (Stateful) prevents people that you = do not want to have their in the first place. Only letting out the traffic you = want (also stateful) prevents bogus replies because they most likely are = caught at the firewall already. Ofcourse the software should be well protected as well, and secteam@ did = his best to offer the best solution possible. Though as mentioned by Brett = for example we just cannot force the update of ntpd.conf on user machines = because every admin could have legitimate reasons for having a configuration in = place they decided to have. It=92s risky to change those things and especially = enforce them on running machines. Most of his ideas were in the advisory already except for the =91disable monitor=92 part, which might be reason to = discuss whether that makes sense or not. Thank you, Remko >=20 >=20 > Regards, > rfg > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTLK73AAoJEKjD27JZ84ywMpcQAKINH2ZhAOthD+12a6acMRG4 5cDfWQb//28/2Brzxx7O7V/VANxW2gkd+FU+nNP8jaE0yQYfWufEPz4u8ZHqgfJy hPDCenASgYUJ189vJBODl7WMJw0vpr0mHnK9LEf9VXAX6Y/KhdL5kYxeHSL3qhOk um72FOqXRry10XttgIIu3aNToNqkV6rbfQp7eHmbsCl/eetN5XDAGnqmr5DKBeLq WUcwqhuzGPpPQtINH7+sQ24PFE8YtRUP7nIVhIXgffIy+iBMP6J4JY2SUIvyRxtk SeaLyMhXHW26e3SRTkC6gHhOgS3BsMeOhmSB7OMG3sLPOBw0m4bw1tVAK35nMMws CqCACV2O3JYr3u9ThlNl7Hke6oCl8P4f3N8LKaWjrH5KLvR6ci9ApLKv2lhFWAzQ eJN5Xr9ghEzqctsIEeKXgeh+tIqMSDTSsmVrIwV3lgK9tLLtTcnOQ+NouC7IdJa+ 5bu8kqfir1/Ih8A9Dh93IKFodzoNGQgN4j0HGtceqWig6BDxopcpycaANYZm/qLw v9xxsWzuuwuaALfJv1Z/I5EEsjn59UaF8AM0jiE4L8piTq70Zc19KLUTA496zX5/ +8q5jQN9yLxfMkXyjrWSZq0lJGGH8/LLMuCvyXZOdnLuiYSVr6O+qz0DlzxSIJ4g SjAbXlt1cFY3V+mxIgvV =nHAw -----END PGP SIGNATURE----- --Apple-Mail=_7154F1F9-7C28-40EA-BF8B-62041B9AE070--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F3083F1-3A20-4FEC-9969-F9968D87569E>