cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
369
Views
0
Helpful
14
Replies
Highlighted
Beginner

NTP services running on internet routers

Hi

 

Two internet routers Version 15.5(3)S4b &  ISR4431/K9.

We have configured only : NTP server 132.163.96.5  & not enable any NTP services on both routers.

But we are getting in tool :  NTP services running on internet routers.

 

Plz help

 

Thanks

manse

14 REPLIES 14
Highlighted
VIP Advocate

 

 - Please elaborate , I find your question not clear.

  M.

Highlighted
Collaborator

Hi,

 

    The moment you configure a router as NTP server (ntp master), or as NTP client (ntp server x.x.x.x), or as NTP peer (ntp peer x.x.x.x), it's gonna open the NTP socket, start listening on UDP 123. You can verify this by "show control-plane host open-ports".


Regards,
Cristian Matei.

Highlighted

manse

 

I am not clear whether finding ntp services running on your routers is an issue, or is just a surprise. @Cristian Matei is exactly right that when you configure the router with ntp server so that your router will learn authoritative ntp time, then ntp services are inherently started on your router. If that is an issue, and if you want to restrict your router to learning ntp time but not sharing ntp time then you should look into configuring ntp access groups to limit what your router will do.

HTH

Rick
Highlighted

Hi Matei,

 

We have configured NTP Client (NTP server x.x.x.x) only.

 

Internal security scan you found your router is vulnerable for ntp mode 6 vulnerability ( ntp mode 6 Botnet infections/vulnerable services ).

Internet Security found NTP service is running for Internet routers.

 

Regards

Manse

Highlighted
VIP Mentor

Hello,

 

on a side note, you might want to have a look at the bug below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum44673/?rfs=iqvred

Highlighted

Hi Georg,

 

Please suggest which version we need to IOS upgrade, 

Any other suggestion acl or IOS upgrade 

 

Thanks 

 

Highlighted

Hi Georg,

 

Please suggest which version we need to IOS upgrade, 

Any other suggestion acl or IOS upgrade 

 

Thanks 

 

Highlighted

 

 - IOS Is known to have security bugs concerning NTP ; alternative architecture would be Intranet-NTP server/services  -> DMZ-Ntp server -> ISP-Ntp services. Benefit also is that the NTP architecture becomes separate from routing and switching services.

 M.

Highlighted

Hi 

 

We have test with tool and we have received router and switch NTP services are running.

 

4 devices are synchronized with outside NTP server : NTP server 132.163.96.5

 

Kindly find attachment file.

Highlighted

Hi,

 

   An IOS upgrade will not make UDP port 123 to be closed. You have the following options, from recommended to least recommended:

       1. use internal NTP servers, and have an inbound ACL on your ISP facing interface, where you drop traffic destined to the router on UDP 123

      2. use external NTP servers, and configure ZBFW with a self-->outside policy, where you inspect egress NTP packets sot that only return packets are allowed, so the Internet NTP servers cannot initiate a session towards your router

     3. use external NTP servers, and have an inbound ACL on your ISP facing interface, where you allow NTP traffic ONLY from your configured NTP servers.

 

Regards,

Cristian Matei.

Highlighted

Manse has explained that the issue is that their security team has run a scan and has identified a vulnerability associated with running ntp on their router. I do not believe that any of the suggestions from @Cristian Matei really address this. I believe that there is one other alternative to consider which is to configure ntp access groups which can limit (or prevent) the router providing ntp time to any other devices. And I am not clear whether this suggestion would be adequate to satisfy their security team.

HTH

Rick
Highlighted

Hi,

 

  @Richard Burts  "ntp mode 6 Botnet infections/vulnerable services" is a generic message, it is not really bound to a specific attack vector; it's pretty much saying that he's running NTP, which we know is vulnerable. The solution is for him to run a stable good, which "guarantees' less bugs and apply a solution to secure the NTP service as best as possible; alternatives would be the ones i mentioned or the NTP access-class, as you specified.

  The moment you expose your router to the Internet for NTP, you can just forget about the security and stability of that device. You could combine it with CPPr to save the CPU, but you're still vulnerable, as this is how NTP is.


Regards,

Cristian Matei.

Highlighted

Hi

 

I am total confused ?

 

My internal server are ntp synchronized with internet Router1 and Router2

My internet Routers and Switchs are ntp synchronized with Outside NTP server.

 

Internal security scan you found your router is vulnerable for ntp mode 6 vulnerability ( ntp mode 6 Botnet infections/vulnerable services ).

We are found 4 devices NTP services running.

 

 

 

Highlighted

Hi,

 

    You just need to secure the NTP service, as now it's wide open and anyone can access it. You were given couple of options above.

 

Regards,

Cristian Matei.