Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2628
Views
4
Helpful
5
Replies

Locking Down NTP

ryancisco01
Level 1
Level 1

‎02-24-2014 06:18 PM - edited ‎03-04-2019 10:26 PM

We got an email stating one of our Cisco routers was an open NTP server.

The router only needs to be able to sync its time with a internet based time server. It does not need to serve its time to anyone else. So I did the following:

access-list 30 permit 203.99.129.34 0.0.0.0

access-list 30 deny any

access-list 40 deny any

ntp access-group peer 30

ntp access-group serve-only 40

ntp access-group query-only 40

ntp server 203.99.129.34

Now I can see heaps of hits against the deny entry. However when I use an online tool like:

http://keetweej.vanheusden.com/query_ntp.php It can still see my NTP server details (exactly the same amoutn as if I remove the access-groups), which means it must be repsonding to the NTP query. I don't have an access-list on my outside interface so would prefer not to do it that way. But have I done enough to block the NTP securty risk?

Labels:
0 Helpful
5 Replies 5

ryancisco01
Level 1
Level 1

‎02-24-2014 08:33 PM

Just had them retest, they are saying the NTP server is still open.

0 Helpful

abpsoft
Level 1
Level 1

‎02-25-2014 03:17 AM

Hi,

is this IOS XE running on the router in question? I've got a similar problem with 4500Xs running IOS XE and configured with just an access-group peer statement actually responding to ntpq -p, while it isn't responding to regular time queries (ntpdate -d). That's apparently a bug, given the ACL in question counts these queries on the deny all ACE, but answers come back anyway. My thread didn't get replies so far, just one me too vote.

HTH,

Andre.

0 Helpful

mvsheik123
Level 7
Level 7

‎02-25-2014 10:32 AM

Hi,

The below config helped me resolving similar issue raised by our external pen testing firm....

!

access-list 30 remark PUBLIC NTP SERVERS

access-list 30 permit x.x.x.x

access-list 30 permit y.y.y.y

!

ntp access-group peer 30

ntp max-associations 2

ntp server x.x.x.x

ntp server y.y.y.y

!

hth

MS

0 Helpful

ryancisco01
Level 1
Level 1
In response to mvsheik123

‎02-25-2014 01:24 PM

MS, My config was exact the same as yours except I had deny anys at th ebototm of my ACL's, rem oved those and still the same thing.

Can you try tetsing it yourself? if you go to this website

http://keetweej.vanheusden.com/query_ntp_do.php and put in your IP address, you should get no reply. However I am still seeing all my NTP information being able to be retrived even though that website is not in the permitted ACL.

Andre, this is not XE, its IOS 15.2 does seem like a bug. 

I just tested this the other way:

Extended IP access list 100

    permit ip host 203.99.129.34 any

    deny udp any any eq ntp (45 matches)

    permit ip any any (2276 matches)

and put that on the outside interface. Now the NTP internet test cannot query the NTP. So i believe this is a bug with the NTP access-group command. it doesn't seem to have any effect.

Would be good for an official word on this, putting an ACL on the outside interface is not an ideal solution.

0 Helpful

ryancisco01
Level 1
Level 1

‎02-25-2014 05:10 PM

Well here we go, this is the issue:

https://tools.cisco.com/bugsearch/bug/CSCuj66318

IOS bug!!

fixed in 15.4

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card