Re: [Pool] DDOS using my ntp server

Mon, 30 Dec 2013 14:18:44 -0800 

I think part of your diff got cut off.  That text looks good to me though.
Scanning pool servers to see who was vulnerable was going to be my next question :) That seems like it would be a good check to have when someone goes to initially add a server. It's pretty quick to do, and would get them to fix it when they're already looking at the NTP config. 

On 12/30/2013 5:11 PM, Ask Bjørn Hansen wrote:

On Dec 30, 2013, at 22:11, Brian Rak <[email protected]> wrote:


Can we get this information added to the pool configuration 
recommendations?http://www.pool.ntp.org/join/configuration.html

Yes. I'd been asked to wait (many many weeks ago, frustratingly), but the cat 
is most definitely out of the bag and I don't see what the point is anymore. I 
agree that whatever coordinated response is being worked on doesn't have the 
appropriate urgency, so let's do what we can.

In my working copy for the site I have the patch below.

Any additions/changes/suggestions would be welcome and I'll see if I can push it up 
tomorrow. To start I'll just have all the translations have the English version; we don't 
really have a process to make sure things get translated so in this case I'll put in the 
English text as the "better than risk missing it" option.

I actually have also built a little tool to automatically check the pool 
servers for this and show a warning message on the manage page; my plan was to 
build something to email the operators with (now) misconfigured servers, too.


Ask


diff --git a/docs/ntppool/en/join/configuration.html 
b/docs/ntppool/en/join/configuration.html
index 1dca244..754ae11 100644
--- a/docs/ntppool/en/join/configuration.html
+++ b/docs/ntppool/en/join/configuration.html
@@ -23,6 +23,22 @@ Below are some things of particular importance if you are 
going to
  join the NTP Pool with your server.
  </p>

+<h4>Management queries</h4>
+
+<p>Make the default configuration be to not allow "management queries". For ntpd this will be 
adding the "noquery" option to the default "res
+
+<pre>
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+</pre>
+
+<p>To allow commands like "ntpq -c pe" to work from localhost you can add:</p>
+
+<pre>
+restrict 127.0.0.1
+restrict -6 ::1
+</pre>
+
  <h4>Setup about 5 servers</h4>

  <p>


_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool

Reply via email to