Opening this tasked based on discussion from this forum thread: https://forum.vyos.io/t/default-ntp-settings/13903
Recommendation is to change default:
ntp { allow-client { address "0.0.0.0/0" address "::/0" }
To:
ntp { allow-client { address "127.0.0.0/8" address "::1/128" address "10.0.0.0/8" address "172.16.0.0/12" address "192.168.0.0/16" address "169.254.0.0/16" address "fc00::/7" address "fe80::/10" }
This would restrict access to NTP to internal use IPs.
I'd be happy to submit PR but would need one of the experts to chime in on whether the default values are configured from the ntp migration script here:
https://github.com/vyos/vyos-1x/blob/f237e75e9fd156c2e4ce15dd6ca8fd4d5d8790cc/src/migration-scripts/ntp/1-to-2
Removing:
config.set(new_base_path + ['allow-client', 'address'], value='0.0.0.0/0', replace=False) config.set(new_base_path + ['allow-client', 'address'], value='::/0', replace=False)
Adding:
config.set(new_base_path + ['allow-client', 'address'], value='127.0.0.0/8', replace=False) config.set(new_base_path + ['allow-client', 'address'], value='10.0.0.0/8', replace=False) config.set(new_base_path + ['allow-client', 'address'], value='172.16.0.0/12', replace=False) config.set(new_base_path + ['allow-client', 'address'], value='192.168.0.0/16', replace=False) config.set(new_base_path + ['allow-client', 'address'], value='169.254.0.0/16', replace=False) config.set(new_base_path + ['allow-client', 'address'], value='fd00::/8', replace=False)