even if i'm using public NTP servers? honestly i just want it to look like port-channel15 is not running NTP. which it isn't. but it appears to be. 

Hello

Wasnt aware you were peering with public ntp server,s Curious is your rtr directly connected to the internet , don't you have any FW in between for stateful inspection?

i'm just a client syncing its clock with pool.ntp.org

using gi0/1 as a source, gi0/1 is the WAN side of the router, connected directly to the carrier's circuit. no firewall. port-channel15 is on the LAN side of the router, and that's the interface that's coming up in this scan as 'running ntp.' i need to make it appear to this scan that port-channel15 is not running NTP. i've added an access list and 'ntp disable' to port-channel15's config, but it still appears to be running NTP. 

Hello

Then you best option is to implement some ios security at the very least context based acl could be applicable (CBAC)  Reflective acl or Control plane protection.Then in most cases only traffic internally initiating the traffic will allow return traffic back in,  So in this case the public ntp servers will be allowed but any internet source based traffic including scans should be denied.

I would also suggest you harden you rtr over all as having it directly attached to a wan circuit isn't a good idea without being protected.

After you review the documentation if you still need an example of cbac/reflective acls, zbfw or anything else Id be a happy to provide one

Harden rtr
Reflective acls
COPP
ZBFW

Hello

Depending on how you connect to your isp, it can be a FW then your router or your router with a firewall sitting in between that and your internal network and if either of those isn't applicable, then some ios security in the form Zone Base Firewall or CBAC etc. just like i have posted previously.

there is a palo alto firewall between my router and my internal network. but that firewall isn't relevant to this discussion, because we are talking about my internet router, which is connected directly to the internet. we can pretend it's a T1 circuit and the router is using serial interfaces that firewalls don't have, if that makes more sense. 

-what does "ntp disable" do, if not disable ntp on an interface?

- if i have specified one "serial" interface as the "ntp source", why is a port scanner finding port 123 open on a different "ethernet" interface?

-if i have configured an inbound access list blocking NTP on my ethernet interface per the link in my original post, why is a port scanner still finding port 123 open on that ethernet interface?

https://community.cisco.com/t5/security-management/ntp-vulnerability-issue/td-p/3373288

i think this does what i want. i was unaware that the "ntp server pool.ntp.org" command turned my router into an NTP server in addition to an NTP client. so while udp 123 is still listening, we can create an access list that denies everything, and apply that access list to the "serve-only" and "query-only" parts of NTP, and this won't interfere with the client's ability to sync its clock with an external source. 

access-list 50 deny any

ntp access-group serve-only 50

ntp access-group query-only 50

i downloaded an NTP server testing application, and my routers stopped responding to queries after i put that in. 

Hello
You still need at least a working acl negating access to anything other than between your ntp source and public servers on you wan rtr, so try amending your wan interface acl

ip access-list extended NTP
permit udp host <public ntp> host <internal ntp source> eq ntp
deny udp any any eq ntp
permit ip any any

int x/x
description wan
ip access-group NTP in

my NTP server is a pool of rotating IPs. i don't really care if my routers are able to query other NTP servers; my goal was to block incoming NTP queries. have i not done that by allowing zero hosts to "serve-only" and "query-only"?