ntpd: Don't answer status queries

Workaround for CVE-2013-5211: http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
2024-11-22 15:03:28 +00:00 · 2014-02-03 23:41:35 +01:00 · 2014-02-03 23:41:35 +01:00 · 9e7fe29e41
commit 9e7fe29e41
parent d451d12128
1 changed files with 3 additions and 0 deletions
--- a/nixos/modules/services/networking/ntpd.nix
+++ b/nixos/modules/services/networking/ntpd.nix
@ -15,6 +15,9 @@ let
    # chroot to ${stateDir}, we have to specify it as /ntp.drift.
    driftfile /ntp.drift

+    restrict default kod nomodify notrap nopeer noquery
+    restrict -6 default kod nomodify notrap nopeer noquery
+
    ${toString (map (server: "server " + server + " iburst\n") config.services.ntp.servers)}
  '';