ntp: add workaround for NTP reflection attack

author: Nicolas Vigier <boklm@mageia.org> 2014-01-31 18:48:46 +0000
committer: Nicolas Vigier <boklm@mageia.org> 2014-01-31 18:48:46 +0000
commit: ae2169fe99a60d32aab6bd5b3cdbba8f99354edf (patch)
tree: 2529c6dfd8078f1b8524c79d344893a59932c21f /modules/ntp
parent: e5e75b51c4e0c58bd34f524fe7d60b7fd29c451b (diff)
download: puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar
puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar.gz
puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar.bz2
puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar.xz
puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf
index 3f9582d7..4dc42c85 100644
--- a/modules/ntp/templates/ntp.conf
+++ b/modules/ntp/templates/ntp.conf
@@ -25,6 +25,12 @@ driftfile /var/lib/ntp/drift
 multicastclient			# listen on default 224.0.1.1
 broadcastdelay	0.008
 
+# http://www.kb.cert.org/vuls/id/348126
+restrict default nomodify notrap nopeer noquery
+restrict -6 default nomodify notrap nopeer noquery
+# https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
+disable monitor
+
 #
 # Keys file.  If you want to diddle your server at run time, make a
 # keys file (mode 600 for sure) and define the key number to be
author	Nicolas Vigier <boklm@mageia.org>	2014-01-31 18:48:46 +0000
committer	Nicolas Vigier <boklm@mageia.org>	2014-01-31 18:48:46 +0000
commit	ae2169fe99a60d32aab6bd5b3cdbba8f99354edf (patch)
tree	2529c6dfd8078f1b8524c79d344893a59932c21f /modules/ntp
parent	e5e75b51c4e0c58bd34f524fe7d60b7fd29c451b (diff)
download	puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar.gz puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar.bz2 puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.tar.xz puppet-ae2169fe99a60d32aab6bd5b3cdbba8f99354edf.zip