https://community.cisco.com/t5/network-security/ntp-vulnerability/m-p/4918393#M1104037 <P>Hi,</P><P>You need to create access lists that restrict queries to your switches but allow your switches to get time&nbsp; from NTP servers. The following is an example:</P><P>ip access-list standard 10<BR />permit x.x.x.x<BR />permit y.y.y.y<BR />ip access-list standard 20<BR />deny any<BR />!<BR />ntp access-group peer 10<BR />ntp access-group serve-only 20<BR />ntp access-group query-only 20<BR />ntp server x.x.x.x<BR />ntp server y.y.y.y</P><P>Access list 10 specifies the NTP servers that are allowed to provide time to the switch. Access list 20 denies access.</P><P>ntp access-group peer 10 specifies that we only get time from servers defined in access list 10.</P><P>ntp access-group serve-only 20 specifies that we do not server time to anyone.</P><P>ntp access-group query-only 20 specifies that we do no allow queries from anyone.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Tue, 05 Sep 2023 23:57:41 GMT johnd2310 2023-09-05T23:57:41Z https://community.cisco.com/t5/network-security/ntp-vulnerability/m-p/4918041#M1104012 <P>Hi all,</P><P>&nbsp;</P><P>From the vulnerability scan, we got the below issue for NTP for Cisco Switch.</P><P>Threat: The NTP service running on the host allows queries of NTP variables.</P><P>Impact: A remote user can obtain sensitive information about the host by querying various variables. The information obtained can aid in further attacks against the system.</P><P>Solution: Please reconfigure NTP to restrict remote access.</P><P>&nbsp;</P><P>Could somebody please advise how to fix it.</P><P>&nbsp;</P><P>Regards,</P> Tue, 05 Sep 2023 12:06:32 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability/m-p/4918041#M1104012 fadhel Sh 2023-09-05T12:06:32Z https://community.cisco.com/t5/network-security/ntp-vulnerability/m-p/4918091#M1104016 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1586415">@fadhel Sh</a>,</P><P>Start to limit <SPAN>ntp updates from identified servers</SPAN></P><P><STRONG>ntp access-group peer XX</STRONG></P><P><STRONG>XX</STRONG> == ACL standard id with servers identified.</P><P>&nbsp;</P> Tue, 05 Sep 2023 12:47:45 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability/m-p/4918091#M1104016 M02@rt37 2023-09-05T12:47:45Z https://community.cisco.com/t5/network-security/ntp-vulnerability/m-p/4918393#M1104037 <P>Hi,</P><P>You need to create access lists that restrict queries to your switches but allow your switches to get time&nbsp; from NTP servers. The following is an example:</P><P>ip access-list standard 10<BR />permit x.x.x.x<BR />permit y.y.y.y<BR />ip access-list standard 20<BR />deny any<BR />!<BR />ntp access-group peer 10<BR />ntp access-group serve-only 20<BR />ntp access-group query-only 20<BR />ntp server x.x.x.x<BR />ntp server y.y.y.y</P><P>Access list 10 specifies the NTP servers that are allowed to provide time to the switch. Access list 20 denies access.</P><P>ntp access-group peer 10 specifies that we only get time from servers defined in access list 10.</P><P>ntp access-group serve-only 20 specifies that we do not server time to anyone.</P><P>ntp access-group query-only 20 specifies that we do no allow queries from anyone.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Tue, 05 Sep 2023 23:57:41 GMT https://community.cisco.com/t5/network-security/ntp-vulnerability/m-p/4918393#M1104037 johnd2310 2023-09-05T23:57:41Z