| Re: [chrony-users] Disabling peers+dmpeers+monlist |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
chrony has a peer directive but it needs to explicitly turned on. Read
man chrony.conf
So look in chrony.conf.
Do those "security manuals" explain what the problem is that they are trying
to solve by these disablings?
I suspect even in ntpd what they mean is that these commands should not be
turned on, rather than exlicitly disabled. Ie, the sysadmin must explicitly
enable them rather than explicitly disable them.
monlist seems to report all of the past connection sources, which means that a
request from such a server can return far more data than was in the request.
This opens a denial of service attack possiblity. (You send a short packet,
they send a whole gob of material tying up the network.)
I suspect both others are similar. So this has to do with the remote query
abilities of ntpd.
On Mon, 12 Oct 2020, Dominik Vogt wrote:
Hi folks,
some local security manual requires that the commands "peers",
"dmpeers" and "monlist" are disabled on an ntp server to be set
up. While these are mentioned in the ntpdc documentation, there's
nothing in the chrony* manuals (we use RHEL 8 that comes with
chrony).
1. Are these commands ntpd specific or also supported by chronlyd?
2a. If so, how can they be disabled? Can this be tested using
chronyc?
2b. If not, is there comparable functionality in chronyd?
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.