Hello Xin On 10.01.2014 06:16, Xin Li wrote: > On 1/9/14, 7:14 PM, Garrett Wollman wrote: >> <<On Thu, 09 Jan 2014 21:08:41 +0700, Eugene Grosbein >> <eugen@grosbein.net> said: >> >>> Other than updating ntpd, you can filter out requests to >>> 'monlist' command with 'restrict ... noquery' option that >>> disables some queries for the internal ntpd status, including >>> 'monlist'. >> >> For a "pure" client, I would suggest "restrict default ignore" >> ought to be the norm. (Followed by entries to unrestrict localhost >> over v4 and v6.) > > That would block clock synchronization too, unless one explicitly > unrestrict all NTP servers. With pool.ntp.org, this is not really > practical. > > The current default on head stable branches should work for most people. I just check out through svnweb, but I would suggest the following settings, which will properly work for all versions of ntpd. See also the added 'limited' options, it helps to protect from spoofed amplification attacks too: # by default, don't trust and don't allow modifications # see -> https://support.ntp.org/bugs/show_bug.cgi?id=320 # should be fixed with ntp-4.2.5p178 (or later), eg. -4 / -6 not # needed any more restrict -4 default limited kod notrap nomodify nopeer noquery restrict -6 default limited kod notrap nomodify nopeer noquery restrict default limited kod notrap nomodify nopeer noquery bye Fabian _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"