Maniphest T6080

Default NTP server settings
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Aldemaro
	Feb 29 2024, 2:13 PM

Tags

Referenced Files

None

Subscribers

Description

Per default VyOS will allow NTP clients from 0.0.0.0/0 to reach it's NTP server.

That kind of configuration is not recommended, and would allow malicious usage by NTP reflection DDoS attacks, taking up bandwidth and making the internet as a whole a bit more unsafe.

My suggestion is to completely remove "set service ntp allow-client" from the default VyOS configuration, as any admin that has the knowledge to setup a router from scratch should also be able to configure the NTP server to allow NTP requests from it’s client’s prefixes when needed.

If anyone is able to tell me where the default configurations are, I'm able to make the PR.

Details

Difficulty level: Unknown (require assessment)
Version: 1.4
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Security vulnerability

Related Objects

Mentioned In: T6123: Limit NTP allow-client config to internal addresses by default

Event Timeline

Aldemaro created this task.Feb 29 2024, 2:13 PM

Aldemaro created this object in space S1 VyOS Public.

pasik added a subscriber: pasik.Feb 29 2024, 4:27 PM

Giggum mentioned this in T6123: Limit NTP allow-client config to internal addresses by default.Tue, Apr 2, 8:23 PM

matthewr added a subscriber: matthewr.Wed, Apr 3, 8:02 AM

dmbaturin added a project: Restricted Project.Thu, Apr 4, 10:33 PM

Editing config.boot.default has addressed this. Pull request opened for comments/integration here: https://github.com/vyos/vyos-build/pull/559

Viacheslav changed the task status from Open to In progress.Thu, Apr 11, 4:08 PM

Viacheslav assigned this task to Giggum.

Giggum closed this task as Resolved.Mon, Apr 22, 7:42 PM