Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
2
Helpful
2
Replies

NTP vulnerability

Go to solution
fadhel Sh
Level 1
Level 1

‎09-05-2023 05:06 AM

Hi all,

 

From the vulnerability scan, we got the below issue for NTP for Cisco Switch.

Threat: The NTP service running on the host allows queries of NTP variables.

Impact: A remote user can obtain sensitive information about the host by querying various variables. The information obtained can aid in further attacks against the system.

Solution: Please reconfigure NTP to restrict remote access.

 

Could somebody please advise how to fix it.

 

Regards,

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎09-05-2023 05:47 AM

Hello @fadhel Sh,

Start to limit ntp updates from identified servers

ntp access-group peer XX

XX == ACL standard id with servers identified.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Go to solution
johnd2310
Level 8
Level 8

‎09-05-2023 04:57 PM

Hi,

You need to create access lists that restrict queries to your switches but allow your switches to get time  from NTP servers. The following is an example:

ip access-list standard 10
permit x.x.x.x
permit y.y.y.y
ip access-list standard 20
deny any
!
ntp access-group peer 10
ntp access-group serve-only 20
ntp access-group query-only 20
ntp server x.x.x.x
ntp server y.y.y.y

Access list 10 specifies the NTP servers that are allowed to provide time to the switch. Access list 20 denies access.

ntp access-group peer 10 specifies that we only get time from servers defined in access list 10.

ntp access-group serve-only 20 specifies that we do not server time to anyone.

ntp access-group query-only 20 specifies that we do no allow queries from anyone.

 

Thanks

 

**Please rate posts you find helpful**

View solution in original post

2 Replies 2

Go to solution
M02@rt37
VIP
VIP

‎09-05-2023 05:47 AM

Hello @fadhel Sh,

Start to limit ntp updates from identified servers

ntp access-group peer XX

XX == ACL standard id with servers identified.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
johnd2310
Level 8
Level 8

‎09-05-2023 04:57 PM

Hi,

You need to create access lists that restrict queries to your switches but allow your switches to get time  from NTP servers. The following is an example:

ip access-list standard 10
permit x.x.x.x
permit y.y.y.y
ip access-list standard 20
deny any
!
ntp access-group peer 10
ntp access-group serve-only 20
ntp access-group query-only 20
ntp server x.x.x.x
ntp server y.y.y.y

Access list 10 specifies the NTP servers that are allowed to provide time to the switch. Access list 20 denies access.

ntp access-group peer 10 specifies that we only get time from servers defined in access list 10.

ntp access-group serve-only 20 specifies that we do not server time to anyone.

ntp access-group query-only 20 specifies that we do no allow queries from anyone.

 

Thanks

 

**Please rate posts you find helpful**
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card