On Mon, Dec 12, 2011 at 03:04, John Kristoff <[email protected]> wrote: > On Sun, 11 Dec 2011 16:00:21 -0800 > Ask Bjørn Hansen <[email protected]> wrote: > >> There needs to be a rule for at least allowing 'query' to everyone. > > We can add a note that says remove the 'noquery' option for a public > server operator, but I'm sure there are some other best practices that > we might want to specify a separate config for those folks. If you have > sample configs, please send them along.
With ntpd 4.2.6 (even the latest patches) and earlier, 'noquery' is the only built-in mitigation for the monlist amplification attack. You can craft a firewall rule to block only monlist requests, or all mode 7 requests while allowing ntpq's mode 6, of course. I do value being able to query pool members and other public NTP servers, and I encourage upgrading to 4.2.7p26 or later (which never respond to monlist queries) or using a packet filter to continue to allow ntpq billboard queries while dropping monlist queries. Any "secure template" configuration likely should have noquery in default restrictions, given nearly all ntpd in the wild is vulnerable by default to monlist amplification otherwise, sad to say. Cheers, Dave Hart _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
