mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2025-07-19 15:29:08 +02:00
2401ade3c4
The current NTP server responds to mode 6 queries from any clients. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition. See: https://www.tenable.com/plugins/nessus/97861 https://scan.shadowserver.org/ntpversion/ Update ntp.conf to restrict NTP mode 6 queries. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
22 lines
812 B
Plaintext
22 lines
812 B
Plaintext
# This is the most basic ntp configuration file
|
|
# The driftfile must remain in a place specific to this
|
|
# machine - it records the machine specific clock error
|
|
driftfile /var/lib/ntp/drift
|
|
# This should be a server that is close (in IP terms)
|
|
# to the machine. Add other servers as required.
|
|
# Unless you un-comment the line below ntpd will sync
|
|
# only against the local system clock.
|
|
#
|
|
# server time.server.example.com
|
|
#
|
|
# Using local hardware clock as fallback
|
|
# Disable this when using ntpd -q -g -x as ntpdate or it will sync to itself
|
|
server 127.127.1.0
|
|
fudge 127.127.1.0 stratum 14
|
|
# Defining a default security setting
|
|
restrict -4 default notrap nomodify nopeer noquery
|
|
restrict -6 default notrap nomodify nopeer noquery
|
|
|
|
restrict 127.0.0.1 # allow local host
|
|
restrict ::1 # allow local host
|