From bd260c9febeea4d0b739f3c327e499b2a6adb710 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vin=C3=ADcius=20Ferr=C3=A3o?=
 <2031761+viniciusferrao@users.noreply.github.com>
Date: Sun, 26 Apr 2026 16:06:58 -0300
Subject: [PATCH] fix: harden makentp generated ntp.conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ntpd config generated by makentp had no access restrictions,
explicitly disabled authentication, and was vulnerable to CVE-2013-5211
amplification attacks.

Add restrict lines to block unauthorized access, add iburst for faster
initial sync, replace "disable auth" with "disable monitor". Security
hardening applies to all platforms including AIX (xntpd supports the
same restrict directives).

The chrony path (EL8+) is unaffected — it delegates to setupntp.

Fixes #2435
---
 xCAT-server/lib/xcat/plugins/makentp.pm | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/xCAT-server/lib/xcat/plugins/makentp.pm b/xCAT-server/lib/xcat/plugins/makentp.pm
index 47aeca6cc..41212ebb6 100644
--- a/xCAT-server/lib/xcat/plugins/makentp.pm
+++ b/xCAT-server/lib/xcat/plugins/makentp.pm
@@ -320,14 +320,17 @@ sub process_request {
       or xCAT::MsgUtils->message('SE',
         "Cannot open $ntpcfg for NTP update. \n");
 
+    print CFGFILE "restrict default nomodify notrap nopeer noquery\n";
+    print CFGFILE "restrict 127.0.0.1\n";
+    print CFGFILE "restrict ::1\n\n";
+
     if (defined($ntp_servers) && $ntp_servers) {
         my @npt_server_array = split(',', $ntp_servers);
 
         # add ntp servers one by one
         foreach my $ntps (@npt_server_array) {
             if (!$ntp_master) { $ntp_master = $ntps; }
-            print CFGFILE "server ";
-            print CFGFILE "$ntps\n";
+            print CFGFILE "server $ntps iburst\n";
         }
     }
 
@@ -337,20 +340,19 @@ sub process_request {
     if (xCAT::Utils->isAIX()) {
         print CFGFILE "driftfile /etc/ntp.drift\n";
         print CFGFILE "tracefile /etc/ntp.trace\n";
-        print CFGFILE "disable auth\n";
         print CFGFILE "broadcastclient\n";
     } elsif ($os =~ /sles/) {
         print CFGFILE "driftfile /var/lib/ntp/drift/ntp.drift\n";
-        print CFGFILE "disable auth\n";
     } else {
         print CFGFILE "driftfile /var/lib/ntp/drift\n";
-        print CFGFILE "disable auth\n";
     }
 
     #add xCAT mn/sn itself as a server
     print CFGFILE "server 127.127.1.0\n";
     print CFGFILE "fudge 127.127.1.0 stratum 10\n";
 
+    print CFGFILE "disable monitor\n";
+
     close CFGFILE;
 
     my $ntp_service = "ntpserver";