diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-02-03 23:41:35 +0100 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-02-03 23:44:11 +0100 |
| commit | 9e7fe29e416736bf2be5aeaf7adbad05d4e175cf (patch) | |
| tree | 0b184762946b5e823c790390361d20f2a9e60a72 /nixos | |
| parent | d451d12128e17ef015e08bad566eac8755ebc44d (diff) | |
| download | nixlib-9e7fe29e416736bf2be5aeaf7adbad05d4e175cf.tar nixlib-9e7fe29e416736bf2be5aeaf7adbad05d4e175cf.tar.gz nixlib-9e7fe29e416736bf2be5aeaf7adbad05d4e175cf.tar.bz2 nixlib-9e7fe29e416736bf2be5aeaf7adbad05d4e175cf.tar.lz nixlib-9e7fe29e416736bf2be5aeaf7adbad05d4e175cf.tar.xz nixlib-9e7fe29e416736bf2be5aeaf7adbad05d4e175cf.tar.zst nixlib-9e7fe29e416736bf2be5aeaf7adbad05d4e175cf.zip | |
ntpd: Don't answer status queries
Workaround for CVE-2013-5211: http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/ntpd.nix | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/ntpd.nix b/nixos/modules/services/networking/ntpd.nix index e5e164021d3a..cdab789cd289 100644 --- a/nixos/modules/services/networking/ntpd.nix +++ b/nixos/modules/services/networking/ntpd.nix @@ -15,6 +15,9 @@ let # chroot to ${stateDir}, we have to specify it as /ntp.drift. driftfile /ntp.drift + restrict default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + ${toString (map (server: "server " + server + " iburst\n") config.services.ntp.servers)} ''; |