public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/ntp: use upstream default restrictions to avoid DDoS (#50762)

Browse Source 
Fixes #50732
This commit is contained in:
Brandon Black 2018-11-28 02:15:25 -08:00 committed by Jörg Thalheim
parent d209180c78
commit dacbd5a61a
2 changed files with 46 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/doc/manual/release-notes/rl-1903.xml
View File

@ -111,6 +111,16 @@
without Syncthing resetting the permission on every start. without Syncthing resetting the permission on every start.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>ntp</literal> module now has sane default restrictions.
If you're relying on the previous defaults, which permitted all queries
and commands from all firewall-permitted sources, you can set
<varname>services.ntp.restrictDefault</varname> and
<varname>services.ntp.restrictSource</varname> to
<literal>[]</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Package <varname>rabbitmq_server</varname> is renamed to Package <varname>rabbitmq_server</varname> is renamed to

38
nixos/modules/services/networking/ntpd.nix
View File

@ -15,6 +15,10 @@ let
configFile = pkgs.writeText "ntp.conf" '' configFile = pkgs.writeText "ntp.conf" ''
driftfile ${stateDir}/ntp.drift driftfile ${stateDir}/ntp.drift
restrict default ${toString cfg.restrictDefault}
restrict -6 default ${toString cfg.restrictDefault}
restrict source ${toString cfg.restrictSource}
restrict 127.0.0.1 restrict 127.0.0.1
restrict -6 ::1 restrict -6 ::1
@ -36,11 +40,40 @@ in
enable = mkOption { enable = mkOption {
default = false; default = false;
description = '' description = ''
Whether to synchronise your machine's time using the NTP Whether to synchronise your machine's time using ntpd, as a peer in
protocol. the NTP network.
</para>
<para>
Disables <literal>systemd.timesyncd</literal> if enabled.
''; '';
}; };
restrictDefault = mkOption {
type = types.listOf types.str;
description = ''
The restriction flags to be set by default.
</para>
<para>
The default flags prevent external hosts from using ntpd as a DDoS
reflector, setting system time, and querying OS/ntpd version. As
recommended in section 6.5.1.1.3, answer "No" of
http://support.ntp.org/bin/view/Support/AccessRestrictions
'';
default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ];
};
restrictSource = mkOption {
type = types.listOf types.str;
description = ''
The restriction flags to be set on source.
</para>
<para>
The default flags allow peers to be added by ntpd from configured
pool(s), but not by other means.
'';
default = [ "limited" "kod" "nomodify" "notrap" "noquery" ];
};
servers = mkOption { servers = mkOption {
default = config.networking.timeServers; default = config.networking.timeServers;
description = '' description = ''
@ -51,6 +84,7 @@ in
extraFlags = mkOption { extraFlags = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
description = "Extra flags passed to the ntpd command."; description = "Extra flags passed to the ntpd command.";
example = literalExample ''[ "--interface=eth0" ]'';
default = []; default = [];
}; };