At 03:28 PM 3/21/2014, Remko Lodder wrote:
Ofcourse the software should be well protected as well, and secteam@ did his
best to offer the best solution possible. Though as mentioned by Brett for
example we just cannot force the update of ntpd.conf on user machines because
every admin could have legitimate reasons for having a configuration in place
they decided to have. It's risky to change those things and especially enforce
them on running machines. Most of his ideas were in the advisory already
except for the 'disable monitor' part, which might be reason to discuss
whether that makes sense or not.
I've suggested one other thing, and still think it would be a good idea to
thwart attacks: that we compile ntpd to source outgoing queries from randomly
selected ephemeral UDP ports rather than UDP port 123. (This was,
in fact, done
in earlier releases of FreeBSD and I'm unsure why it was changed.) This makes
stateful firewalling less necessary and improves its performance if it is done.
--Brett Glass
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
