cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1434
Views
5
Helpful
11
Replies
Highlighted
Beginner

blocking NTP

here's my NTP config on my 2921 router. i'm just a client syncing its clock with pool.ntp.org

ntp source GigabitEthernet0/1
ntp peer pool.ntp.org prefer

 

so, some white hats at my parent company scan my router and tell me that the NTP service is running on port-channel 15 (which does not include gi0/1, the source of that ntp command above), and i'm therefore vulnerable to an NTP server vulnerability. their fix is to update NTP.conf on my linux server. let's assume they don't care that i'm neither running linux nor an ntp server, and my only recourse is to make it look like NTP is not running on po15. 

i followed this

https://community.cisco.com/t5/network-management/how-to-disable-external-access-to-cisco-ios-ntp-service/td-p/2917955

and put that access list on int po15

 

interface Port-channel15
ip address [removed] 255.255.255.0
ip access-group Block-NTP in
ip flow ingress
ip flow egress
hold-queue 150 in

 

but when i go to https://www.ipvoid.com/udp-port-scan/, it tells me udp 123 is open on my ip address. 

so then i put the "ntp disable" command on po15. but that website still tells me udp 123 is open on my ip address. 

 

so i have both ntp disable and an access list blocking NTP, but NTP is still open. what am i doing wrong?

 

11 REPLIES 11
Highlighted
VIP Mentor

Hello

Along with your acls etc.. You can secure ntp messages using authentication -

 

example:
ntp authentication-key 100 md5 Tru5t_NtP
ntp authenticate
ntp trusted-key 100
ntp peer 1.1.1.1 key 100



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

even if i'm using public NTP servers? honestly i just want it to look like port-channel15 is not running NTP. which it isn't. but it appears to be. 

Highlighted

Hello

Wasnt aware you were peering with public ntp server,s Curious is your rtr directly connected to the internet , don't you have any FW in between for stateful inspection?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

i'm just a client syncing its clock with pool.ntp.org

 

using gi0/1 as a source, gi0/1 is the WAN side of the router, connected directly to the carrier's circuit. no firewall. port-channel15 is on the LAN side of the router, and that's the interface that's coming up in this scan as 'running ntp.' i need to make it appear to this scan that port-channel15 is not running NTP. i've added an access list and 'ntp disable' to port-channel15's config, but it still appears to be running NTP. 

Highlighted

Hello

Then you best option is to implement some ios security at the very least context based acl could be applicable (CBAC)  Reflective acl or Control plane protection.Then in most cases only traffic internally initiating the traffic will allow return traffic back in,  So in this case the public ntp servers will be allowed but any internet source based traffic including scans should be denied.

I would also suggest you harden you rtr over all as having it directly attached to a wan circuit isn't a good idea without being protected.

After you review the documentation if you still need an example of cbac/reflective acls, zbfw or anything else Id be a happy to provide one

Harden rtr
Reflective acls
COPP
ZBFW



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

What device, if not a router, should I have directly connected to the carrier's circuit?


Highlighted

Hello

Depending on how you connect to your isp, it can be a FW then your router or your router with a firewall sitting in between that and your internal network and if either of those isn't applicable, then some ios security in the form Zone Base Firewall or CBAC etc. just like i have posted previously.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

there is a palo alto firewall between my router and my internal network. but that firewall isn't relevant to this discussion, because we are talking about my internet router, which is connected directly to the internet. we can pretend it's a T1 circuit and the router is using serial interfaces that firewalls don't have, if that makes more sense. 

 

-what does "ntp disable" do, if not disable ntp on an interface?

- if i have specified one "serial" interface as the "ntp source", why is a port scanner finding port 123 open on a different "ethernet" interface?

-if i have configured an inbound access list blocking NTP on my ethernet interface per the link in my original post, why is a port scanner still finding port 123 open on that ethernet interface?

 

Highlighted

https://community.cisco.com/t5/security-management/ntp-vulnerability-issue/td-p/3373288

 

i think this does what i want. i was unaware that the "ntp server pool.ntp.org" command turned my router into an NTP server in addition to an NTP client. so while udp 123 is still listening, we can create an access list that denies everything, and apply that access list to the "serve-only" and "query-only" parts of NTP, and this won't interfere with the client's ability to sync its clock with an external source. 

 

access-list 50 deny any

ntp access-group serve-only 50

ntp access-group query-only 50

 

i downloaded an NTP server testing application, and my routers stopped responding to queries after i put that in. 

Highlighted

Hello
You still need at least a working acl negating access to anything other than between your ntp source and public servers on you wan rtr, so try amending your wan interface acl

 

ip access-list extended NTP
permit udp host <public ntp> host <internal ntp source> eq ntp
deny udp any any eq ntp
permit ip any any

 

int x/x
description wan
ip access-group NTP in



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

my NTP server is a pool of rotating IPs. i don't really care if my routers are able to query other NTP servers; my goal was to block incoming NTP queries. have i not done that by allowing zero hosts to "serve-only" and "query-only"?