mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-29 06:45:54 +03:00
nixos/ntp: use upstream default restrictions to avoid DDoS (#50762)
Fixes #50732
This commit is contained in:
parent
d209180c78
commit
dacbd5a61a
@ -111,6 +111,16 @@
|
||||
without Syncthing resetting the permission on every start.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>ntp</literal> module now has sane default restrictions.
|
||||
If you're relying on the previous defaults, which permitted all queries
|
||||
and commands from all firewall-permitted sources, you can set
|
||||
<varname>services.ntp.restrictDefault</varname> and
|
||||
<varname>services.ntp.restrictSource</varname> to
|
||||
<literal>[]</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Package <varname>rabbitmq_server</varname> is renamed to
|
||||
|
@ -15,6 +15,10 @@ let
|
||||
configFile = pkgs.writeText "ntp.conf" ''
|
||||
driftfile ${stateDir}/ntp.drift
|
||||
|
||||
restrict default ${toString cfg.restrictDefault}
|
||||
restrict -6 default ${toString cfg.restrictDefault}
|
||||
restrict source ${toString cfg.restrictSource}
|
||||
|
||||
restrict 127.0.0.1
|
||||
restrict -6 ::1
|
||||
|
||||
@ -36,11 +40,40 @@ in
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to synchronise your machine's time using the NTP
|
||||
protocol.
|
||||
Whether to synchronise your machine's time using ntpd, as a peer in
|
||||
the NTP network.
|
||||
</para>
|
||||
<para>
|
||||
Disables <literal>systemd.timesyncd</literal> if enabled.
|
||||
'';
|
||||
};
|
||||
|
||||
restrictDefault = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
The restriction flags to be set by default.
|
||||
</para>
|
||||
<para>
|
||||
The default flags prevent external hosts from using ntpd as a DDoS
|
||||
reflector, setting system time, and querying OS/ntpd version. As
|
||||
recommended in section 6.5.1.1.3, answer "No" of
|
||||
http://support.ntp.org/bin/view/Support/AccessRestrictions
|
||||
'';
|
||||
default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ];
|
||||
};
|
||||
|
||||
restrictSource = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
The restriction flags to be set on source.
|
||||
</para>
|
||||
<para>
|
||||
The default flags allow peers to be added by ntpd from configured
|
||||
pool(s), but not by other means.
|
||||
'';
|
||||
default = [ "limited" "kod" "nomodify" "notrap" "noquery" ];
|
||||
};
|
||||
|
||||
servers = mkOption {
|
||||
default = config.networking.timeServers;
|
||||
description = ''
|
||||
@ -51,6 +84,7 @@ in
|
||||
extraFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = "Extra flags passed to the ntpd command.";
|
||||
example = literalExample ''[ "--interface=eth0" ]'';
|
||||
default = [];
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user