diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2020-01-03 10:42:45 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2020-01-03 13:56:00 -0800 |
commit | 2401ade3c48771097456046da3347c884908d3a1 (patch) | |
tree | c07be1cc4516c5b9ad7ddeddd2eed3f62e7dcfe1 /meta-networking/recipes-support | |
parent | 5b15fb9c839a276220651946efd1d1a303ff0d45 (diff) | |
download | meta-openembedded-2401ade3c48771097456046da3347c884908d3a1.tar.gz |
ntp: restrict NTP mode 6 queries
The current NTP server responds to mode 6 queries from any clients.
Devices that respond to these queries have the potential to be used in
NTP amplification attacks. An unauthenticated, remote attacker could
potentially exploit this, via a specially crafted mode 6 query, to cause
a reflected denial of service condition.
See: https://www.tenable.com/plugins/nessus/97861
https://scan.shadowserver.org/ntpversion/
Update ntp.conf to restrict NTP mode 6 queries.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-networking/recipes-support')
-rw-r--r-- | meta-networking/recipes-support/ntp/ntp/ntp.conf | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp.conf b/meta-networking/recipes-support/ntp/ntp/ntp.conf index 676e18645..b59003092 100644 --- a/meta-networking/recipes-support/ntp/ntp/ntp.conf +++ b/meta-networking/recipes-support/ntp/ntp/ntp.conf | |||
@@ -14,4 +14,8 @@ driftfile /var/lib/ntp/drift | |||
14 | server 127.127.1.0 | 14 | server 127.127.1.0 |
15 | fudge 127.127.1.0 stratum 14 | 15 | fudge 127.127.1.0 stratum 14 |
16 | # Defining a default security setting | 16 | # Defining a default security setting |
17 | restrict default | 17 | restrict -4 default notrap nomodify nopeer noquery |
18 | restrict -6 default notrap nomodify nopeer noquery | ||
19 | |||
20 | restrict 127.0.0.1 # allow local host | ||
21 | restrict ::1 # allow local host | ||