[oe-commits] [meta-openembedded] 01/12: ntp: restrict NTP mode 6 queries
git at git.openembedded.org
git at git.openembedded.org
Fri Jan 3 21:56:12 UTC 2020
This is an automated email from the git hooks/post-receive script.
khem pushed a commit to branch master-next
in repository meta-openembedded.
commit 2401ade3c48771097456046da3347c884908d3a1
Author: Yi Zhao <yi.zhao at windriver.com>
AuthorDate: Fri Jan 3 10:42:45 2020 +0800
ntp: restrict NTP mode 6 queries
The current NTP server responds to mode 6 queries from any clients.
Devices that respond to these queries have the potential to be used in
NTP amplification attacks. An unauthenticated, remote attacker could
potentially exploit this, via a specially crafted mode 6 query, to cause
a reflected denial of service condition.
See: https://www.tenable.com/plugins/nessus/97861
https://scan.shadowserver.org/ntpversion/
Update ntp.conf to restrict NTP mode 6 queries.
Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
meta-networking/recipes-support/ntp/ntp/ntp.conf | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp.conf b/meta-networking/recipes-support/ntp/ntp/ntp.conf
index 676e186..b590030 100644
--- a/meta-networking/recipes-support/ntp/ntp/ntp.conf
+++ b/meta-networking/recipes-support/ntp/ntp/ntp.conf
@@ -14,4 +14,8 @@ driftfile /var/lib/ntp/drift
server 127.127.1.0
fudge 127.127.1.0 stratum 14
# Defining a default security setting
-restrict default
+restrict -4 default notrap nomodify nopeer noquery
+restrict -6 default notrap nomodify nopeer noquery
+
+restrict 127.0.0.1 # allow local host
+restrict ::1 # allow local host
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list