cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

607
Views
10
Helpful
2
Replies
Highlighted

Making NTP a little more secure

I have NTP working on a 4431 router and the latest pen-test dinged us because it responds to clients on the outside.  I currently synchronize using the ntp.org pool addresses which works but still lets any outsider query the router.  Right now the configuration is pretty basic and the router synchronizes via the external interface

ntp server 0.pool.ntp.org

I do have an internal ntp server and can create more if needed but this router is outside the firewall and only has access to the internal network via the management interface.  Can I use the management interface as the source for ntp traffic like I do for syslog traffic?

logging source-interface GigabitEthernet0 vrf Mgmt-intf
logging host 10.212.3.23 vrf Mgmt-intf

If worse comes to worse, I can get a couple of cheap AWS lightsail servers and turn them into NTP servers with authentication and iptables rules that stop any undesirable traffic.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Collaborator

Hi,

Hi,

Yes, use your internal NTP server and source NTP from you mgmt interface. You can then disable NTP on the external interface using the interface command "ntp disable". You could also deny NTP on the external interface using an access list. Not sure what your internal NTP server is running, but you could also secure NTP by using authentication.

ntp source GigabitEthernet0
ntp server x.x.x.x


interface "external"
  ntp disable

Thanks

John

**Please rate posts you find helpful**
2 REPLIES 2
Collaborator

Hi,

Hi,

Yes, use your internal NTP server and source NTP from you mgmt interface. You can then disable NTP on the external interface using the interface command "ntp disable". You could also deny NTP on the external interface using an access list. Not sure what your internal NTP server is running, but you could also secure NTP by using authentication.

ntp source GigabitEthernet0
ntp server x.x.x.x


interface "external"
  ntp disable

Thanks

John

**Please rate posts you find helpful**

Thank you.  That put me on

Thank you.  That put me on the right track and it turned out to be simpler than I thought:

ntp server vrf Mgmt-intf ip.add.re.ss

Then disable ntp on the other interfaces and the auditors can go away happy and my routers are less likely to be abused in an ntp reflection DDOS.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards