Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sigh. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733940

FWIW, if you install the ntp package and do ntpdc -n -c monlist localhost you'll get a response but I haven't checked if it's configured by default to reject non-LAN requests.



FWIW, here's what I got on an Ubuntu 12.04.3 server running on my LAN. It looks like we should be fine with the defaults on Ubuntu at least. (Obviously always a good idea to use ufw/iptables to block everything you don't need exposed so you don't have to worry about stuff like this).

Before installing ntp (from another host on my LAN):

  $ ntpdc -n -c monlist 192.168.1.50
  ntpdc: read: Connection refused
After installing ntp (from another host on my LAN):

  $ ntpdc -n -c monlist 192.168.1.50
  192.168.1.50: timed out, nothing received
  ***Request timed out
After installing ntp (from the server itself):

  $ ntpdc -n -c monlist localhost
  remote address          port local address      count m ver rstr avgint  lstint
  ===============================================================================
  91.189.94.4              123 192.168.1.50         1 4 4    1d0     54      54
  ...


Thanks, I should have checked this.


Debian's something I checked when I first started seeing this, and their default config is not vulnerable.

Being able tod this via localhost is not a problem, it's when it's open to the internet.


Just tried it on my server. Works for localhost but times out remotely




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: