Securing NTP

Unanswered Question
Nov 5th, 2008

Hi all!

We had an external scan on our IP ranges and some of our network equipment got flagged for some security issues.

Log from the scan:

Port ntp (123/udp)

NTP read variables

Synopsis :

An NTP server is listening on the remote host.

Description :

An NTP (Network Time Protocol) server is listening on this port.

It provides information about the current date and time of the

remote system and may provide system information.

Risk factor :


Now, the risk factor is none, but they still want me to have a look.

I have only configure this in our router.

ntp clock-period 17180157

ntp peer

ntp server

ntp server

ntp server

Is there anything else that I can do to just prevent extern scans for finding out my open ntp port on the router?

Will it even help if i do an "ntp access-group" setup? Or will external sources still see my open NTP server on my router?

Or is there some other tip out there for this?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (5 ratings)
John Blakley Wed, 11/05/2008 - 07:27

You can set up an acl and allow only your servers that you're querying access to it.

ip access-list ext OUTSIDE

permit udp host any eq ntp

int fa4 (outside interface)

ip access-group OUTSIDE in


tcordier Wed, 11/05/2008 - 07:46

To increase the security of NTP you should use NTP authentication. That would need also to be enabled on the server also, and this may not be an option if the servers are not under your control. NTP authentication will however not stop your router from responding to port scans on this port. Enabling access-lists next to NTP authhentication that will take care of port scans as all NTP packets from sources you do not permit will be silently discarded.

An interesting source for all things security on a Cisco router can be found on the website of the NSA:

HTH, Thomas

Richard Burts Wed, 11/05/2008 - 08:13


John has suggested one approach using access lists and access-group to apply the access list on an interface. And it would effectively prevent other machines from seeing NTP activity on your router. If you already have an access list assigned on the interface it would be easy to incorporate this logic into it.

There is another approach to securing NTP and it would not involve an access list looking at every packet going through an interface but would only act on traffic to the router for NTP. You can use ntp access-group to secure NTP traffic and only allow NTP from addresses that you specify. There is an ntp access-group peer which uses a standard access list to control to whom you look to learn NTP (would be both ntp server and ntp peer addresses) and there is an ntp access-group serve-only which uses a standard access list to control to whom you will offer NTP (your ntp peer and any other machines that look to this router for ntp). This is a more targeted approach to securing NTP than using access lists applied to interfaces. Conceptually it is similar to the way that you can use access-class under the VTY to control who can access the router remotely as a more efficient solution that using access lists on interfaces to control telnet or ssh access packets.



azore2007 Wed, 11/05/2008 - 08:32

Thanks for all the help!

Rick, a follow up question regarding NTP access-groups.

Even if I used ntp access-groups, would outside scans still reveal my open NTP port in the summary?

I have a language problem when trying to figure out what the command option "serve" means.

Is it the same as NTP server ?

" 1. peer-Allows time requests and NTP control queries and allows the switch to synchronize itself to a device whose address passes the access list criteria.

2. serve-Allows time requests and NTP control queries, but does not allow the switch to synchronize itself to a device whose address passes the access list criteria.

3. serve-only-Allows only time requests from a device whose address passes the access list criteria.

4. query-only-Allows only NTP control queries from a device whose address passes the access list criteria. "

Thanks so much!

Richard Burts Wed, 11/05/2008 - 09:01


I do not know how the scan identifies active or listening ports. Does it send a packet on that port and listen for a response? In that case I would think that the ntp access-group would prevent the scan from reporting your router. Or does the scan send a packet on that port and listen for the "port unreachable" response? In that case I am not clear whether the ntp access-group would prevent your router being listed or not.

I agree that the language is difficult to understand. In my experience any address that you have configured in ntp server needs to be permitted in ntp access-group peer. You would permit in ntp access-group serve (or serve-only) addresses for which you would send time if they send a request to you.



Here is a sample config on how to secure your router. Replace x.x.x.x with your public IP range on your inside interface of your router.

access-list 10 permit x.x.x.x

access-list 10 deny any

access-list 11 permit

access-list 11 permit

ntp access-group peer 11

ntp access-group serve-only 10

ntp master 3

ntp server

ntp server prefer

lejoe.thomas Wed, 11/05/2008 - 20:21

It is my understanding that if you have ntp master configured, you must also have peer access to source The NTP master command creates, to which the local router synchronises to.


This Discussion