here's my NTP config on my 2921 router. i'm just a client syncing its clock with pool.ntp.org
ntp source GigabitEthernet0/1
ntp peer pool.ntp.org prefer
so, some white hats at my parent company scan my router and tell me that the NTP service is running on port-channel 15 (which does not include gi0/1, the source of that ntp command above), and i'm therefore vulnerable to an NTP server vulnerability. their fix is to update NTP.conf on my linux server. let's assume they don't care that i'm neither running linux nor an ntp server, and my only recourse is to make it look like NTP is not running on po15.
i followed this
and put that access list on int po15
ip address [removed] 255.255.255.0
ip access-group Block-NTP in
ip flow ingress
ip flow egress
hold-queue 150 in
but when i go to https://www.ipvoid.com/udp-port-scan/, it tells me udp 123 is open on my ip address.
so then i put the "ntp disable" command on po15. but that website still tells me udp 123 is open on my ip address.
so i have both ntp disable and an access list blocking NTP, but NTP is still open. what am i doing wrong?
Along with your acls etc.. You can secure ntp messages using authentication -
ntp authentication-key 100 md5 Tru5t_NtP
ntp trusted-key 100
ntp peer 22.214.171.124 key 100
even if i'm using public NTP servers? honestly i just want it to look like port-channel15 is not running NTP. which it isn't. but it appears to be.
Wasnt aware you were peering with public ntp server,s Curious is your rtr directly connected to the internet , don't you have any FW in between for stateful inspection?
i'm just a client syncing its clock with pool.ntp.org
using gi0/1 as a source, gi0/1 is the WAN side of the router, connected directly to the carrier's circuit. no firewall. port-channel15 is on the LAN side of the router, and that's the interface that's coming up in this scan as 'running ntp.' i need to make it appear to this scan that port-channel15 is not running NTP. i've added an access list and 'ntp disable' to port-channel15's config, but it still appears to be running NTP.
Then you best option is to implement some ios security at the very least context based acl could be applicable (CBAC) Reflective acl or Control plane protection.Then in most cases only traffic internally initiating the traffic will allow return traffic back in, So in this case the public ntp servers will be allowed but any internet source based traffic including scans should be denied.
I would also suggest you harden you rtr over all as having it directly attached to a wan circuit isn't a good idea without being protected.
After you review the documentation if you still need an example of cbac/reflective acls, zbfw or anything else Id be a happy to provide one
Depending on how you connect to your isp, it can be a FW then your router or your router with a firewall sitting in between that and your internal network and if either of those isn't applicable, then some ios security in the form Zone Base Firewall or CBAC etc. just like i have posted previously.
there is a palo alto firewall between my router and my internal network. but that firewall isn't relevant to this discussion, because we are talking about my internet router, which is connected directly to the internet. we can pretend it's a T1 circuit and the router is using serial interfaces that firewalls don't have, if that makes more sense.
-what does "ntp disable" do, if not disable ntp on an interface?
- if i have specified one "serial" interface as the "ntp source", why is a port scanner finding port 123 open on a different "ethernet" interface?
-if i have configured an inbound access list blocking NTP on my ethernet interface per the link in my original post, why is a port scanner still finding port 123 open on that ethernet interface?
i think this does what i want. i was unaware that the "ntp server pool.ntp.org" command turned my router into an NTP server in addition to an NTP client. so while udp 123 is still listening, we can create an access list that denies everything, and apply that access list to the "serve-only" and "query-only" parts of NTP, and this won't interfere with the client's ability to sync its clock with an external source.
access-list 50 deny any
ntp access-group serve-only 50
ntp access-group query-only 50
i downloaded an NTP server testing application, and my routers stopped responding to queries after i put that in.
You still need at least a working acl negating access to anything other than between your ntp source and public servers on you wan rtr, so try amending your wan interface acl
ip access-list extended NTP
permit udp host <public ntp> host <internal ntp source> eq ntp
deny udp any any eq ntp
permit ip any any
ip access-group NTP in
my NTP server is a pool of rotating IPs. i don't really care if my routers are able to query other NTP servers; my goal was to block incoming NTP queries. have i not done that by allowing zero hosts to "serve-only" and "query-only"?