Re: [chrony-users] Disabling peers+dmpeers+monlist

[Dominik Vogt <dominik.vogt@xxxxxx>]

On Mon, Oct 12, 2020 at 09:58:31AM -0700, Bill Unruh wrote:
> Do those "security manuals" explain what the problem is that they are trying
> to solve by these disablings?

No, unfortunately not, at least not the requirements we have for
our project.  All I know is that they come from some european
security standard, so it's most likely some well known issue.

> I suspect even in ntpd what they mean is that these commands should not be
> turned on, rather than exlicitly disabled. Ie, the sysadmin must explicitly
> enable them rather than explicitly disable them. monlist seems to report all
> of the past connection sources, which means that a
> request from such a server can return far more data than was in the request.
> This opens a denial of service attack possiblity. (You send a short packet,
> they send a whole gob of material tying up the network.)
>
> I suspect both others are similar. So this has to do with the remote query
> abilities of ntpd.

Sounds legible, but I can only guess whether using chrony instead
of ntpd fulfils the requirements or if extra work has to be spent.

Ciao

Dominik ^_^  ^_^

--

Dominik Vogt

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.