cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8894
Views
15
Helpful
2
Replies

How to disable ntp queries

jigarrg
Beginner
Beginner

Hi,

Our Infosec team send us a vulnerability list, in which one was disable ntp queries.

Currently i dont have an acl on ntp, it is just configured as ntp server x.x.x.x source port-channel 1.1.

 

How do i disable ntp queries and what all command i need to do?

2 Accepted Solutions

Accepted Solutions

Pedro Arrieta
Beginner
Beginner

Hi jigarrg,

 

About NTP, you can implement ACLs to secure your NTP service, you can allow traffic from a source and deny the rest, for example:

 

I have 3 routers (R1, R2, R3 and R4) -> R2 (10.1.0.1), R3 (10.2.0.2) and R4 (10.3.0.3)

 

Using Peer:

Then on R1:

R1(config)#access-list 1 permit 10.1.0.1 log
R1(config)#access-list 1 permit 10.2.0.2 log
R1(config)#access-list 1 deny any log
R1(config)#ntp access-group peer 1

and the output:


%SEC-6-IPACCESSLOGNP: list 1 denied 0 10.3.0.3 -> 0.0.0.0, 30 packets
%SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.0.1 -> 0.0.0.0, 1 packet
%SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.2.0.2 -> 0.0.0.0, 1 packet

Hope it helps,

 

 

View solution in original post

luis_cordova
VIP Advisor VIP Advisor
VIP Advisor

Hi @jigarrg,

 

I found this link very informative:

https://labs.apnic.net/?p=464

 

Regards

View solution in original post

2 Replies 2

Pedro Arrieta
Beginner
Beginner

Hi jigarrg,

 

About NTP, you can implement ACLs to secure your NTP service, you can allow traffic from a source and deny the rest, for example:

 

I have 3 routers (R1, R2, R3 and R4) -> R2 (10.1.0.1), R3 (10.2.0.2) and R4 (10.3.0.3)

 

Using Peer:

Then on R1:

R1(config)#access-list 1 permit 10.1.0.1 log
R1(config)#access-list 1 permit 10.2.0.2 log
R1(config)#access-list 1 deny any log
R1(config)#ntp access-group peer 1

and the output:


%SEC-6-IPACCESSLOGNP: list 1 denied 0 10.3.0.3 -> 0.0.0.0, 30 packets
%SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.1.0.1 -> 0.0.0.0, 1 packet
%SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.2.0.2 -> 0.0.0.0, 1 packet

Hope it helps,

 

 

luis_cordova
VIP Advisor VIP Advisor
VIP Advisor

Hi @jigarrg,

 

I found this link very informative:

https://labs.apnic.net/?p=464

 

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers