[ntp:questions] Mitigating the ::1 spoof vulnerability
Harlan Stenn
stenn at ntp.org
Fri Feb 6 22:44:02 UTC 2015
Marco Marongiu writes:
> Hi there
>
> I'm referring to this one in particular: "::1 can be spoofed on some
> OSes, so ACLs based on IPv6 ::1 addresses can be bypassed".
>
> Debian Squeeze doesn't have a patched package available in the
> squeeze-lts series yet. On those clients would a restriction like
>
> restrict ::1 ignore
>
> mitigate the vulnerability?
I think so, but it will also make it much harder to use ntpq and other
things. It also won't do anything to protect other services that might
use source ACLs for protection
Better to:
- fix your firewall rules to block ::1 incoming packets on external
interfaces
- just build 4.2.8p1 and install it
H
More information about the questions
mailing list