search

xcat2 / xcat-core

Code repo for xCAT core packages
Eclipse Public License 1.0
369 stars 172 forks source link

makentp generates insecure configuration #2435

Open kcgthb opened 7 years ago

kcgthb commented 7 years ago

makentp generates insecure default configuration, as it:

  1. listen on all interfaces, and there doesn't seem to be a way in XCAT to specify that the MN NTP server should be restricted to specific interfaces (similar to site.dnsinterfaces)
  2. no restriction of any type is included in the generated ntp.conf, especially a way to disable the monitoring facility that can be used in amplification attacks (CVE-2013-5211).

In comparison, the default RHEL/CentOS ntp.conf contains the following statements:

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

Generating a one-size-fits-all configuration maybe outside reach, but having a way to include an external, static configuration file in the generated ntp.conf, similar to what's described in #2423, would greatly improve the situation.

I guess that would be a good thing for all the generated configuration files, such as:

whowutwut commented 7 years ago

@zet809 @cxhong Removing the milestone , please set it when we have planned this ..