[system-administrators-guide] noquery access option: add warning and link to CVE

commit 786d45d9bb57db9edb2f9511498a7aa3a361baae Author: Stephen Wadeley <swadeley(a)redhat.com&gt; Date: Thu Jul 31 11:48:32 2014 +0200 noquery access option: add warning and link to CVE en-US/Configuring_NTP_Using_ntpd.xml | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) --- diff --git a/en-US/Configuring_NTP_Using_ntpd.xml b/en-US/Configuring_NTP_Using_ntpd.xml index 1246238..eced2f9 100644 --- a/en-US/Configuring_NTP_Using_ntpd.xml +++ b/en-US/Configuring_NTP_Using_ntpd.xml @@ -216,7 +216,7 @@ The <option>kod</option> option means a <quote>Kiss-o'-death</quote> packet is t The <option>nomodify</option> options prevents any changes to the configuration. The <option>notrap</option> option prevents <systemitem class="protocol">ntpdc</systemitem> control message protocol traps. The <option>nopeer</option> option prevents a peer association being formed. -The <option>noquery</option> option prevents <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries, but not time queries, from being answered. +The <option>noquery</option> option prevents <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries, but not time queries, from being answered. The <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries can be used in amplification attacks (see <ulink url="https://access.redhat.com/security/cve/CVE-2013-5211">&... pubwork="webpage">CVE-2013-5211</citetitle></ulink> for more details), do not remove the <option>noquery</option> option from the <command>restrict default</command> command on publicly accessible systems. </para> <para> Addresses within the range <systemitem class="ipaddress">127.0.0.0/8</systemitem> range are sometimes required by various processes or applications. As the "restrict default" line above prevents access to everything not explicitly allowed, access to the standard loopback address for <systemitem class="protocol">IPv4</systemitem> and <systemitem class="protocol">IPv6</systemitem> is permitted by means of the following lines: @@ -484,6 +484,9 @@ synchronised to NTP server (10.5.26.10) at stratum 2 <para> To configure rate limit access to not respond at all to a query, the respective <command>restrict</command> command has to have the <option>limited</option> option. If <systemitem class="daemon">ntpd</systemitem> should reply with a <literal>KoD</literal> packet, the <command>restrict</command> command needs to have both <option>limited</option> and <option>kod</option> options. </para> + <para> + The <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries can be used in amplification attacks (see <ulink url="https://access.redhat.com/security/cve/CVE-2013-5211">&... pubwork="webpage">CVE-2013-5211</citetitle></ulink> for more details), do not remove the <option>noquery</option> option from the <command>restrict default</command> command on publicly accessible systems. + </para> </section> <section id="s2_Configure_Rate_Limiting_Access_to_an_NTP_Service">