Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7654
Views
21
Helpful
8
Replies

Securing NTP

azore2007
Level 1
Level 1

‎11-05-2008 07:21 AM - edited ‎03-06-2019 02:19 AM

Hi all!

We had an external scan on our IP ranges and some of our network equipment got flagged for some security issues.

Log from the scan:

Port ntp (123/udp)

NTP read variables

Synopsis :

An NTP server is listening on the remote host.

Description :

An NTP (Network Time Protocol) server is listening on this port.

It provides information about the current date and time of the

remote system and may provide system information.

Risk factor :

None

Now, the risk factor is none, but they still want me to have a look.

I have only configure this in our router.

ntp clock-period 17180157

ntp peer 10.10.10.10

ntp server 192.xxx.x.xxx

ntp server 193.xxx.x.xxx

ntp server 193.xxx.x.xxx

Is there anything else that I can do to just prevent extern scans for finding out my open ntp port on the router?

Will it even help if i do an "ntp access-group" setup? Or will external sources still see my open NTP server on my router?

Or is there some other tip out there for this?

Thank you

Labels:
0 Helpful
8 Replies 8

John Blakley
VIP Alumni
VIP Alumni

‎11-05-2008 07:27 AM

You can set up an acl and allow only your servers that you're querying access to it.

ip access-list ext OUTSIDE

permit udp host any eq ntp

int fa4 (outside interface)

ip access-group OUTSIDE in

--John

HTH, John *** Please rate all useful posts ***

tcordier
Level 1
Level 1

‎11-05-2008 07:46 AM

To increase the security of NTP you should use NTP authentication. That would need also to be enabled on the server also, and this may not be an option if the servers are not under your control. NTP authentication will however not stop your router from responding to port scans on this port. Enabling access-lists next to NTP authhentication that will take care of port scans as all NTP packets from sources you do not permit will be silently discarded.

An interesting source for all things security on a Cisco router can be found on the website of the NSA: http://www.nsa.gov/snac/routers/C4-040R-02.pdf

HTH, Thomas

Richard Burts
Hall of Fame
Hall of Fame
In response to tcordier

‎11-05-2008 08:13 AM

Anders

John has suggested one approach using access lists and access-group to apply the access list on an interface. And it would effectively prevent other machines from seeing NTP activity on your router. If you already have an access list assigned on the interface it would be easy to incorporate this logic into it.

There is another approach to securing NTP and it would not involve an access list looking at every packet going through an interface but would only act on traffic to the router for NTP. You can use ntp access-group to secure NTP traffic and only allow NTP from addresses that you specify. There is an ntp access-group peer which uses a standard access list to control to whom you look to learn NTP (would be both ntp server and ntp peer addresses) and there is an ntp access-group serve-only which uses a standard access list to control to whom you will offer NTP (your ntp peer and any other machines that look to this router for ntp). This is a more targeted approach to securing NTP than using access lists applied to interfaces. Conceptually it is similar to the way that you can use access-class under the VTY to control who can access the router remotely as a more efficient solution that using access lists on interfaces to control telnet or ssh access packets.

HTH

Rick

HTH

Rick

azore2007
Level 1
Level 1
In response to Richard Burts

‎11-05-2008 08:32 AM

Thanks for all the help!

Rick, a follow up question regarding NTP access-groups.

Even if I used ntp access-groups, would outside scans still reveal my open NTP port in the summary?

I have a language problem when trying to figure out what the command option "serve" means.

Is it the same as NTP server ?

" 1. peer-Allows time requests and NTP control queries and allows the switch to synchronize itself to a device whose address passes the access list criteria.

2. serve-Allows time requests and NTP control queries, but does not allow the switch to synchronize itself to a device whose address passes the access list criteria.

3. serve-only-Allows only time requests from a device whose address passes the access list criteria.

4. query-only-Allows only NTP control queries from a device whose address passes the access list criteria. "

Thanks so much!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to azore2007

‎11-05-2008 09:01 AM

Anders

I do not know how the scan identifies active or listening ports. Does it send a packet on that port and listen for a response? In that case I would think that the ntp access-group would prevent the scan from reporting your router. Or does the scan send a packet on that port and listen for the "port unreachable" response? In that case I am not clear whether the ntp access-group would prevent your router being listed or not.

I agree that the language is difficult to understand. In my experience any address that you have configured in ntp server needs to be permitted in ntp access-group peer. You would permit in ntp access-group serve (or serve-only) addresses for which you would send time if they send a request to you.

HTH

Rick

HTH

Rick

gus.dalinis
Level 1
Level 1

‎11-05-2008 03:52 PM

Here is a sample config on how to secure your router. Replace x.x.x.x with your public IP range on your inside interface of your router.

access-list 10 permit x.x.x.x 0.0.0.255

access-list 10 deny any

access-list 11 permit 192.5.41.40

access-list 11 permit 192.5.41.41

ntp access-group peer 11

ntp access-group serve-only 10

ntp master 3

ntp server 192.5.41.41

ntp server 192.5.41.40 prefer

0 Helpful

lejoe.thomas
Level 3
Level 3
In response to gus.dalinis

‎11-05-2008 08:21 PM

It is my understanding that if you have ntp master configured, you must also have peer access to source 127.127.7.1. The NTP master command creates 127.127.7.1, to which the local router synchronises to.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card