You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ntp-formula should configure ntp.conf to mitigate these attacks as default behaviour. However, a quick fix is to adjust the pillar file.
Note that the solution really should have firewall configuration changes as well - but out of scope for this formula.
Here is the ntp.ng pillar.example re-worked to limit the possibility of reflected attacks:
# An arbitrary key to avoid clashes with the original configuration
ng:
# OS-specific data that should, in most cases, be handled by map.jinja.
# It is an optional key and is only used to override defaults.
lookup:
package: ntp
service: ntpd
provider: systemd
ntp_conf: /etc/ntp.conf
# State-specific options
settings:
# If `True`, ntpd will be enabled. Otherwise ntp.conf will be configured
# but ntpd will not be enabled or started.
ntpd: True
# A dictionary of lists, each key corresponds to a conf-file directive in
# ntp.conf. Eg, the below will compile to:
#
#
# restrict default ignore
# restrict 127.0.0.1
# restrict ::1
# restrict 0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
# restrict 1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
#
# disable monitor
#
# driftile: /var/lib/ntp/ntp.drift
#
# server 0.us.pool.ntp.org
# server 1.us.pool.ntp.org
#
ntp_conf:
server:
- '0.us.pool.ntp.org'
- '1.us.pool.ntp.org'
restrict:
- 'default ignore'
- '127.0.0.1'
- '::1'
- '0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
- '1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
driftfile: ['/var/lib/ntp/ntp.drift']
# !! http://www.team-cymru.org/secure-ntp-template.html
disable:
- 'monitor'
ntp-formula should configure ntp.conf to mitigate these attacks as default behaviour. However, a quick fix is to adjust the pillar file.
Note that the solution really should have firewall configuration changes as well - but out of scope for this formula.
Here is the ntp.ng pillar.example re-worked to limit the possibility of reflected attacks:
Here's a diff of pillar example:
The text was updated successfully, but these errors were encountered: