ntp-formula should configure ntp.conf to mitigate these attacks as default behaviour. However, a quick fix is to adjust the pillar file.
Note that the solution really should have firewall configuration changes as well - but out of scope for this formula.
Here is the ntp.ng pillar.example re-worked to limit the possibility of reflected attacks:
# An arbitrary key to avoid clashes with the original configuration
ng:
# OS-specific data that should, in most cases, be handled by map.jinja.
# It is an optional key and is only used to override defaults.
lookup:
package: ntp
service: ntpd
provider: systemd
ntp_conf: /etc/ntp.conf
# State-specific options
settings:
# If `True`, ntpd will be enabled. Otherwise ntp.conf will be configured
# but ntpd will not be enabled or started.
ntpd: True
# A dictionary of lists, each key corresponds to a conf-file directive in
# ntp.conf. Eg, the below will compile to:
#
#
# restrict default ignore
# restrict 127.0.0.1
# restrict ::1
# restrict 0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
# restrict 1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
#
# disable monitor
#
# driftile: /var/lib/ntp/ntp.drift
#
# server 0.us.pool.ntp.org
# server 1.us.pool.ntp.org
#
ntp_conf:
server:
- '0.us.pool.ntp.org'
- '1.us.pool.ntp.org'
restrict:
- 'default ignore'
- '127.0.0.1'
- '::1'
- '0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
- '1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
driftfile: ['/var/lib/ntp/ntp.drift']
# !! http://www.team-cymru.org/secure-ntp-template.html
disable:
- 'monitor'
Here's a diff of pillar example:
69,70d68
< # server 0.us.pool.ntp.org
< # server 1.us.pool.ntp.org
71a70
> # restrict default ignore
73a73,76
> # restrict 0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
> # restrict 1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
> #
> # disable monitor
75a79,82
> #
> # server 0.us.pool.ntp.org
> # server 1.us.pool.ntp.org
> #
77,78c84,92
< server: ['0.us.pool.ntp.org', '1.us.pool.ntp.org']
< restrict: ['127.0.0.1', '::1']
---
> server:
> - '0.us.pool.ntp.org'
> - '1.us.pool.ntp.org'
> restrict:
> - 'default ignore'
> - '127.0.0.1'
> - '::1'
> - '0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
> - '1.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery'
79a94,96
> # !! http://www.team-cymru.org/secure-ntp-template.html
> disable:
> - 'monitor'
ntp-formula should configure ntp.conf to mitigate these attacks as default behaviour. However, a quick fix is to adjust the pillar file.
Note that the solution really should have firewall configuration changes as well - but out of scope for this formula.
Here is the ntp.ng pillar.example re-worked to limit the possibility of reflected attacks:
Here's a diff of pillar example: