[OpenIndiana-discuss] Avoiding the NTP amplification exploit
Gary Mills
gary_mills at fastmail.fm
Wed Feb 12 14:43:48 UTC 2014
For those who haven't already heard about this NTP exploit, it begins
with a single UDP packet sent to a computer running the NTP service.
With the default configuration, a monlist query will result in many
packets being returned to the source of the query. All it takes is a
spoofed source address to turn this into a DOS attack. You can read
about it here:
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
The solution is here:
http://support.ntp.org/bin/view/Support/AccessRestrictions
I'm attaching the changes I made to my ntp.conf to avoid this problem.
--
-Gary Mills- -refurb- -Winnipeg, Manitoba, Canada-
-------------- next part --------------
--- /etc/inet/ntp.conf- Sat Apr 10 15:48:47 2010
+++ /etc/inet/ntp.conf Sat Dec 28 11:03:05 2013
@@ -3,7 +3,24 @@
# Use is subject to license terms.
#
#ident "@(#)ntp4.client 1.1 09/06/25 SMI"
-#
+
+# If you will not allow others to see your server status information,
+# use the following default restriction:
+
+restrict default kod nomodify notrap nopeer noquery
+
+# Add the following line to allow a subnet to receive time service and
+# query server statistics:
+
+restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap nopeer
+
+# You may need to add the following lines to allow unrestricted access
+# from the localhost (so that you may monitor ntpd and perform
+# on-the-fly configuration changes with ntpdc):
+
+restrict 127.0.0.1
+restrict -6 ::1
+
# If you want to configure your client to listen for multicast, uncommnet
# this line. This should only be used for casual time keeping, like keeping
# a desktop system in sync.
More information about the OpenIndiana-discuss
mailing list