Le 2014/02/13 11:35 +0100, Bob Friesenhahn a écrit:
On Wed, 12 Feb 2014, Saso Kiselkov wrote:
Prudent advice, yes, but I can't think of any situation where an openly
accessible NTP service on an Internet-facing machine that isn't
*specifically* configured to be an NTP server isn't a case of bad admin
negligence. *All* Internet-facing machines should be running ipfilters
and only open up ports for the services they are designed to provide.
That is pretty harsh.
It's also pretty much true, and plenty of security standards require
enforcement of that basic policy.
I had a FreeBSD system which was attacked by this
exploit a couple of months ago and it took down my Internet connection
(massive packet loss) until I figured out the cause. That system still
receives millions of NTP packets per day (which are now tossed).
There is no warning in the NTP documentation about the software
automatically acting like a "server" and NTP is pretty much a peer-peer
protocol
Not really, no. Correct time is not a consensus. NTP definitely has a
strict top-down hierarchy, not a flat P2P one. But it is indeed
difficult to fully grasp it, and sadly, Solaris already has a long track
record of not caring much to provide correct defaults.
so it is reasonable to leave that port open on the firewall
since some NTP clients might not be properly configured yet to use a
local NTP server. Regardless, the protocol being exploited does not
seem to be normal NTP itself but an admin-related protocol.
All firewalls are now stateful, even for non connected protocols. You
don't need to allow *incoming* NTP traffic on UDP/123 to allow
*outgoing* traffic. So that's not really a valid reason.
Laurent
_______________________________________________
OpenIndiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
