freebsd security - Dec 2014 - ntpd vulnerabilities

Joe Malcolm <jmalcolm at uraeus.com> writes:
> I'm no expert on ntp.conf, but this appears in my ntp.conf on one of
> my FreeBSD systems:
>
> restrict default kod nomodify notrap nopeer noquery
> restrict -6 default kod nomodify notrap nopeer noquery
>
> However, it also has these:
>
> restrict 127.0.0.1
> restrict -6 ::1
> restrict 127.127.1.0
These work on a "last match" basis.  The latter three lines lift all
restrictions for localhost, so you can still "ntpq -pn" your own
server,
but nobody else can.

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

Dag-Erling Sm??rgrav writes:
>Joe Malcolm <jmalcolm at uraeus.com> writes:
>> I'm no expert on ntp.conf, but this appears in my ntp.conf on one
of
>> my FreeBSD systems:
>>
>> restrict default kod nomodify notrap nopeer noquery
>> restrict -6 default kod nomodify notrap nopeer noquery
>>
>> However, it also has these:
>>
>> restrict 127.0.0.1
>> restrict -6 ::1
>> restrict 127.127.1.0
>
>These work on a "last match" basis.  The latter three lines lift
all
>restrictions for localhost, so you can still "ntpq -pn" your own
server,
>but nobody else can.
Thanks. So, if I understand correctly, the shipped config is
vulnerable to local (same-host) attackers, not remote ones.

joe