commit 786d45d9bb57db9edb2f9511498a7aa3a361baae
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Thu Jul 31 11:48:32 2014 +0200
noquery access option: add warning and link to CVE
en-US/Configuring_NTP_Using_ntpd.xml | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
---
diff --git a/en-US/Configuring_NTP_Using_ntpd.xml b/en-US/Configuring_NTP_Using_ntpd.xml
index 1246238..eced2f9 100644
--- a/en-US/Configuring_NTP_Using_ntpd.xml
+++ b/en-US/Configuring_NTP_Using_ntpd.xml
@@ -216,7 +216,7 @@ The <option>kod</option> option means a
<quote>Kiss-o'-death</quote> packet is t
The <option>nomodify</option> options prevents any changes to the
configuration.
The <option>notrap</option> option prevents <systemitem
class="protocol">ntpdc</systemitem> control message protocol traps.
The <option>nopeer</option> option prevents a peer association being formed.
-The <option>noquery</option> option prevents <systemitem
class="protocol">ntpq</systemitem> and <systemitem
class="protocol">ntpdc</systemitem> queries, but not time queries, from
being answered.
+The <option>noquery</option> option prevents <systemitem
class="protocol">ntpq</systemitem> and <systemitem
class="protocol">ntpdc</systemitem> queries, but not time queries, from
being answered. The <systemitem class="protocol">ntpq</systemitem>
and <systemitem class="protocol">ntpdc</systemitem> queries can be
used in amplification attacks (see <ulink
url="https://access.redhat.com/security/cve/CVE-2013-5211">&...
pubwork="webpage">CVE-2013-5211</citetitle></ulink> for more
details), do not remove the <option>noquery</option> option from the
<command>restrict default</command> command on publicly accessible systems.
</para>
<para>
Addresses within the range <systemitem
class="ipaddress">127.0.0.0/8</systemitem> range are sometimes required
by various processes or applications. As the "restrict default" line above
prevents access to everything not explicitly allowed, access to the standard loopback
address for <systemitem class="protocol">IPv4</systemitem> and
<systemitem class="protocol">IPv6</systemitem> is permitted by means
of the following lines:
@@ -484,6 +484,9 @@ synchronised to NTP server (10.5.26.10) at stratum 2
<para>
To configure rate limit access to not respond at all to a query, the respective
<command>restrict</command> command has to have the
<option>limited</option> option. If <systemitem
class="daemon">ntpd</systemitem> should reply with a
<literal>KoD</literal> packet, the <command>restrict</command>
command needs to have both <option>limited</option> and
<option>kod</option> options.
</para>
+ <para>
+ The <systemitem class="protocol">ntpq</systemitem> and
<systemitem class="protocol">ntpdc</systemitem> queries can be used
in amplification attacks (see <ulink
url="https://access.redhat.com/security/cve/CVE-2013-5211">&...
pubwork="webpage">CVE-2013-5211</citetitle></ulink> for more
details), do not remove the <option>noquery</option> option from the
<command>restrict default</command> command on publicly accessible systems.
+ </para>
</section>
<section id="s2_Configure_Rate_Limiting_Access_to_an_NTP_Service">