https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3699671#M12595 <P>Different devices typically have different sets of NTP-servers configured. All these servers are queried regularly to pick the "best" server out of the configured pool. These are the requests you are seeing here.</P> <P>If you do not want that these&nbsp;many different servers are queried, you have to configure all your internal&nbsp;devices with the NTP-servers of your choice.</P> <P>Here are some servers to choose from:&nbsp;<A href="http://support.ntp.org/bin/view/Servers/NTPPoolServers" target="_blank">http://support.ntp.org/bin/view/Servers/NTPPoolServers</A></P> Mon, 03 Sep 2018 10:59:54 GMT Karsten Iwen 2018-09-03T10:59:54Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3699600#M12529 <P>Hi Experts,</P> <P>I am seeings frequent UDP-123(NTP traffic) logs on Cisco ASA Firewall, which is initiated from Internal LAN to Outside Internet. Source and destination port is 123. Can some one guide, what is causing this?</P> <P>&nbsp;</P> <P>Understand, that UDP-123(NTP traffic) is used for time synchronisation, but why to different set of Public Internet servers frequently?</P> <P>&nbsp;</P> <P>Thanks &amp; Regards</P> <P>Sreeraj</P> Fri, 21 Feb 2020 16:11:03 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3699600#M12529 sreeraj.murali 2020-02-21T16:11:03Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3699642#M12530 <P>Hello,</P> <P>&nbsp;</P> <P>ASA is doing its job of providing the information it can. You can either block it if required or refer to source and check the source host/server to see what configuration is causing the NTP traffic to be initiated.</P> <P>&nbsp;</P> <P>You can take captures as well on internal interface of ASA is the syslog info is insufficient.</P> <P>&nbsp;</P> <P>HTH<BR />AJ</P> Mon, 03 Sep 2018 10:20:18 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3699642#M12530 Ajay Saini 2018-09-03T10:20:18Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3699671#M12595 <P>Different devices typically have different sets of NTP-servers configured. All these servers are queried regularly to pick the "best" server out of the configured pool. These are the requests you are seeing here.</P> <P>If you do not want that these&nbsp;many different servers are queried, you have to configure all your internal&nbsp;devices with the NTP-servers of your choice.</P> <P>Here are some servers to choose from:&nbsp;<A href="http://support.ntp.org/bin/view/Servers/NTPPoolServers" target="_blank">http://support.ntp.org/bin/view/Servers/NTPPoolServers</A></P> Mon, 03 Sep 2018 10:59:54 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3699671#M12595 Karsten Iwen 2018-09-03T10:59:54Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701770#M12596 <P>Thank you for the advice provided.</P> <P>Also, please suggest, on the Security vulnerability with respect to NTP protocol and ways to prevent the same. Is builting an Campus NTP Server a recommended solution for the same. Please provide more light/documentation.</P> <P>&nbsp;</P> <P>Thanks &amp; Regards</P> <P>Sreeraj Murali</P> Thu, 06 Sep 2018 06:40:00 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701770#M12596 sreeraj.murali 2018-09-06T06:40:00Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701840#M12597 <P>While ntp as a protocol does have its share of vulnerabilities and is not inherently secure, it is very far down on the list of things to worry about.&nbsp;<SPAN>Keeping accurate time across systems using NTP is a best practice; but spending much time on countermeasures against NTP vulnerabilities has a very very small return on investment.</SPAN></P> <P>&nbsp;</P> <P>I'd focus your efforts on email with phishing links, malware attachments and users browsing to bad websites. That will cover 95% or more of the threats to your infrastructure.</P> <P>&nbsp;</P> Thu, 06 Sep 2018 09:02:48 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701840#M12597 Marvin Rhoads 2018-09-06T09:02:48Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701850#M12598 <P>Thanks. We do Software as a service business, and all the Customer servers are hosted in our SAS environment. Currently, all the linux servers are having the time synchronised from public NTP Server, which i am thinking as a risk with NTP DDoS amblification attack. So, looking for a counter measure to mitigate this. Please advice.</P> Thu, 06 Sep 2018 09:23:28 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701850#M12598 sreeraj.murali 2018-09-06T09:23:28Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701879#M12599 <P>You can always purchase a time server appliance that synchronizes its clock via a GPS antenna. Install it inside your network and then block all udp/123 ntp through your firewall.</P> <P>&nbsp;</P> <P>You can find several with a quick web search. Prices vary widely (US$300 to US$5000) according to how "industrial strength" you need it to be.</P> <P>&nbsp;</P> <P><A href="https://www.amazon.com/TimeMachines-TM1000A-maintains-broadcast-Satellites/dp/B002RC3Q4Q" target="_blank">https://www.amazon.com/TimeMachines-TM1000A-maintains-broadcast-Satellites/dp/B002RC3Q4Q</A></P> <P>&nbsp;</P> <P><A href="https://www.endruntechnologies.com/time-servers.htm" target="_blank">https://www.endruntechnologies.com/time-servers.htm</A></P> <P>&nbsp;</P> <P><A href="https://spectracom.com/products-services/precision-timing/enterprise-class-securesync" target="_blank">https://spectracom.com/products-services/precision-timing/enterprise-class-securesync</A></P> <P>&nbsp;</P> <P>...etc.</P> <P>&nbsp;</P> Thu, 06 Sep 2018 09:55:25 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701879#M12599 Marvin Rhoads 2018-09-06T09:55:25Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701885#M12600 <P>Thanks, Can we have a provision of configuring Windows DNS Server(Domain Controller) as an NTP Server?</P> Thu, 06 Sep 2018 09:58:13 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701885#M12600 sreeraj.murali 2018-09-06T09:58:13Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701893#M12601 <P>You can but it would still need to get time from an Internet-based time source.</P> <P>&nbsp;</P> <P>It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).</P> <P>&nbsp;</P> <P><A href="https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server" target="_blank">https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server</A></P> Thu, 06 Sep 2018 10:10:30 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701893#M12601 Marvin Rhoads 2018-09-06T10:10:30Z https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701894#M12602 <P>You can but it would still need to get time from an Internet-based time source.</P> <P>&nbsp;</P> <P>It's also not designed to scale and hand out time to non-Windows systems. You could just as easily run a small Linux machine to act as your ntp server (or add the service onto an existing utility server you may already have).</P> <P>&nbsp;</P> <P><A href="https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server" target="_blank">https://askubuntu.com/questions/14558/how-do-i-setup-a-local-ntp-server</A></P> Thu, 06 Sep 2018 10:11:15 GMT https://community.cisco.com/t5/network-security/repeated-ntp-udp123-logs-on-firewall/m-p/3701894#M12602 Marvin Rhoads 2018-09-06T10:11:15Z