Le Thu, 09 Jan 2014 21:18:56 -0800, Xin Li <delp...@delphij.net> a écrit :
> On 1/9/14, 6:12 AM, Palle Girgensohn wrote: > > > > 9 jan 2014 kl. 15:08 skrev Eugene Grosbein <eu...@grosbein.net>: > > > >> On 09.01.2014 19:38, Palle Girgensohn wrote: > >>> They recommend at least 4.2.7. Any thoughts about this? > >> > >> Other than updating ntpd, you can filter out requests to > >> 'monlist' command with 'restrict ... noquery' option that > >> disables some queries for the internal ntpd status, including > >> 'monlist'. > >> > >> See http://support.ntp.org/bin/view/Support/AccessRestrictions > >> for details. > > > > Yes. But shouldn't there be a security advisory for FreeBSD > > specifically? > > We will have an advisory next week. If a NTP server is properly > configured, it's likely that they are not affected (the old FreeBSD > default is a little bit vague on how to properly configure the daemon, > though; the new default on -CURRENT and supported -STABLE branches > should be sufficient to provide protection). I've tried the -current ntpd.conf. Looks good here, my ntpd (used as client) is under attack since two days :( (15000 packets/s in) Ntpd does not reply anymore but it eats more cpu (~8%), for a client the best is to filter out the port udp/123. The attack is on the ntp command "MON_GETLIST". Regards, _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
