At 02:27 PM 3/14/2014, Dimitry Andric wrote:
It looks like you missed
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc
then? Which was released on Jan 14, and has all the instructions
how to patch your system.
I did not miss the advisory. The "solution" given in the advisory
-- patching ntpd -- is necessary but not sufficient. The
configuration file must also be changed, because the system will
still serve as a relay for attacks if the default ntp.conf (or one
like it) is used. The lines
# Stop amplification attacks via NTP servers
disable monitor
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict 127.127.1.0
# Note: Comment out these lines on machines without IPv6
restrict -6 default kod nomodify notrap nopeer noquery
restrict -6 ::1
Note that these lines are similar to those in the "workaround"
section of the advisory but add the command "disable monitor" and
add the "kod" option (which may quell queries from some exploited systems).
--Brett Glass
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
