Bug 859190

Summary: network:time/ntp: DDOS
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dirk Stoecker <opensuse>
Component: NetworkAssignee: E-mail List <bnc-team-screening>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None    
Version: 13.1 Milestone 4   
Target Milestone: 13.2 Milestone 0   
Hardware: Other   
OS: openSUSE 13.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: My default ntp configuration from an Hetzner uBuntu server

Description Dirk Stoecker 2014-01-17 11:33:22 UTC 
The current NTP default setup does not differntiate between internal and external access.

The default setup should be modified, so that external access is restricted and admins need to remove restrictions when wanted. Probabably 99% of all NTP installations aren't meant to be worldwide visible, but suse defaults are extremely open.

E.G. Ubuntu has
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
Comment 1 Dirk Stoecker 2014-01-17 11:35:11 UTC 
Created attachment 574790 [details]
My default ntp configuration from an Hetzner uBuntu server
Comment 2 Reinhard Max 2014-01-17 13:35:24 UTC 
The security team decided that we only need to change this in Factory.

BTW, the Bugzilla product openSUSE.org is about the openSUSE project and its infrastructure. Bugs against openSUSE should be reported against either openSUSE Factory or one of the released versions.

*** This bug has been marked as a duplicate of bug 857195 ***