From ae2169fe99a60d32aab6bd5b3cdbba8f99354edf Mon Sep 17 00:00:00 2001
From: Nicolas Vigier <boklm@mageia.org>
Date: Fri, 31 Jan 2014 18:48:46 +0000
Subject: ntp: add workaround for NTP reflection attack

---
 modules/ntp/templates/ntp.conf | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'modules')

diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf
index 3f9582d7..4dc42c85 100644
--- a/modules/ntp/templates/ntp.conf
+++ b/modules/ntp/templates/ntp.conf
@@ -25,6 +25,12 @@ driftfile /var/lib/ntp/drift
 multicastclient			# listen on default 224.0.1.1
 broadcastdelay	0.008
 
+# http://www.kb.cert.org/vuls/id/348126
+restrict default nomodify notrap nopeer noquery
+restrict -6 default nomodify notrap nopeer noquery
+# https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
+disable monitor
+
 #
 # Keys file.  If you want to diddle your server at run time, make a
 # keys file (mode 600 for sure) and define the key number to be
-- 
cgit v1.2.1