ā09-05-2023 05:06 AM
Hi all,
From the vulnerability scan, we got the below issue for NTP for Cisco Switch.
Threat: The NTP service running on the host allows queries of NTP variables.
Impact: A remote user can obtain sensitive information about the host by querying various variables. The information obtained can aid in further attacks against the system.
Solution: Please reconfigure NTP to restrict remote access.
Could somebody please advise how to fix it.
Regards,
Solved! Go to Solution.
ā09-05-2023 05:47 AM
Hello @fadhel Sh,
Start to limit ntp updates from identified servers
ntp access-group peer XX
XX == ACL standard id with servers identified.
ā09-05-2023 04:57 PM
Hi,
You need to create access lists that restrict queries to your switches but allow your switches to get time from NTP servers. The following is an example:
ip access-list standard 10
permit x.x.x.x
permit y.y.y.y
ip access-list standard 20
deny any
!
ntp access-group peer 10
ntp access-group serve-only 20
ntp access-group query-only 20
ntp server x.x.x.x
ntp server y.y.y.y
Access list 10 specifies the NTP servers that are allowed to provide time to the switch. Access list 20 denies access.
ntp access-group peer 10 specifies that we only get time from servers defined in access list 10.
ntp access-group serve-only 20 specifies that we do not server time to anyone.
ntp access-group query-only 20 specifies that we do no allow queries from anyone.
Thanks
ā09-05-2023 05:47 AM
Hello @fadhel Sh,
Start to limit ntp updates from identified servers
ntp access-group peer XX
XX == ACL standard id with servers identified.
ā09-05-2023 04:57 PM
Hi,
You need to create access lists that restrict queries to your switches but allow your switches to get time from NTP servers. The following is an example:
ip access-list standard 10
permit x.x.x.x
permit y.y.y.y
ip access-list standard 20
deny any
!
ntp access-group peer 10
ntp access-group serve-only 20
ntp access-group query-only 20
ntp server x.x.x.x
ntp server y.y.y.y
Access list 10 specifies the NTP servers that are allowed to provide time to the switch. Access list 20 denies access.
ntp access-group peer 10 specifies that we only get time from servers defined in access list 10.
ntp access-group serve-only 20 specifies that we do not server time to anyone.
ntp access-group query-only 20 specifies that we do no allow queries from anyone.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide