[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

NTP insecure defaults



My hosting provider recently pointed my attention to the fact that my
Jessie installation was running NTP and listening and responding to the
outside world, which is considered a security risk due to the
possibility of amplification attack DDoSes.

Turns out the Debian default is indeed to provide time service if you
install NTP. Shouldn't that be limited to localhost only, so that an
admin must deliberately open up the service if they want to provide NTP
service to the outside world?

I thought of opening a bug, but I'd like a second opinion
first. Thoughts anyone?

Mart

-- 
"We will need a longer wall when the revolution comes."
    --- AJS, quoting an uncertain source.


Reply to: