NTP Server - Security Question

saquib.tandel · ‎06-20-2010

Hi

I want to configure NTP Server on a router and it would be the only source for all other devices on the network ( server /routers / linux_boxes ).

The Router would be directly connected to internet via public IP on one interface.

How do I secure the router for NTP Server role only.

Router# conf t Router# ntp server 192.168.1.15 #(Public IP Router# ntp server 172.32.10.55 # Public IP Router# clock timezone PST -8

any other NTP Public Server recommended?

Leo Laohoo · ‎06-20-2010

"192.168.1.15" & "172.32.10.55" are not PUBLIC IP addresses.

any other NTP Public Server recommended?

Here's a list of NTP/SNTP public servers:

http://support.microsoft.com/kb/262680

Hope this helps. Please don't forget to rate useful posts. Thanks.

Federico Coto Fajardo · ‎06-21-2010

Just a comment:

"192.168.1.15" & "172.32.10.55" are not PUBLIC IP addresses.

172.32.x.x is a public IP.

The private range from class B is only 172.16.0.0 - 172.31.255.255

Federico.

Hitesh Vinzoda · ‎06-20-2010

Hi,

Configure the router as a NTP server with stratum 1 and authentication on client and server. Stratum 1 will be the preferred server over servers with stratum higher than 1, also you may authenticate clients with server..

Client

R2(config)#ntp authenticate
R2(config)#ntp authentication-key 1 md5 CISCO
R2(config)#ntp trusted-key 1
R2(config)#ntp server 12.0.0.1 key 1

Server

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ntp master 1
R1(config)#ntp authentication-key 1 md5 CISCO

Hope this helps

Hitesh Vinzoda

Pls rate useful posts

Ganesh Hariharan · ‎06-20-2010

Hi
I
want to configure NTP Server on a router and it would be the only
source for all other devices on the network ( server /routers /
linux_boxes ).
The Router would be directly connected to internet via public IP on one interface.
How do I secure the router for NTP Server role only.
Router# conf t
 Router# ntp server 192.168.1.15   #(Public IP
 Router# ntp server 172.32.10.55   # Public IP
 Router# clock timezone PST -8
any other NTP Public Server recommended?

Hi,

Use authentication or access list on ntp server cofiguration so that only authenticated client which are having key can be sync with the ntp server,check out the below link for ntp server configuration on switches/router along with authentication/access list.

https://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001170

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

saquib.tandel · ‎06-21-2010

Hi

I tested attached config, but doesnt work.

Server -

NTP(config)# conf t
NTP(config)# clock timezone PST -8
NTP(config)# ntp server clock.via.net
NTP(config)# ntp server nist1.symmetricom.com
NTP(config)#ntp master 1
NTP(config)#ntp authentication-key 1 md5 brief1

Client -
Rx(config)#ntp authenticate
Rx(config)#ntp authentication-key 1 md5 brief1
Rx(config)#ntp trusted-key 1
Rx(config)#ntp server 192.168.1.90 key 1

=============================================

Ganesh Hariharan · ‎06-21-2010

Hi
I tested attached config, but doesnt work.

Server -
NTP(config)# conf t
NTP(config)# clock timezone PST -8
NTP(config)# ntp server clock.via.net  
NTP(config)# ntp server nist1.symmetricom.com
NTP(config)#ntp master 1
NTP(config)#ntp authentication-key 1 md5 brief1

Client - 
Rx(config)#ntp authenticate
Rx(config)#ntp authentication-key 1 md5 brief1
Rx(config)#ntp trusted-key 1
Rx(config)#ntp server 192.168.1.90 key 1
=============================================

Hi Saquib,

Are you able to reach the ntp server clock.via.net from your switch and you need to configure ntp master 3 or 2 on your switch,As trusted is configure as startum 1 in ntp time server which is configured to sync with your switches.

Hope to Help !!

Ganesh.H

saquib.tandel · ‎06-21-2010

Hi Ganesh,

I have NTP Server sync issue with NTP global server and NTP client cannot sync with NTP Server

but, NTP server can reach internet.

NTP client can ping NTP Server.

M i missing some config

taxameter · ‎06-21-2010

Hi

Please check this link, works like a charm for me. it doesn't cover completely your objective but is pretty close,

http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

pls look for Cisco cookbook and check Recipe 14.7 Setting the Router as the NTP Master for the Network

14.7.1 Problem You want to use the router as an NTP server to act as the primary time source for the network.

And of course this one http://support.ntp.org/bin/view/Support/ConfiguringNTP

Note access control lists between the router and its NTP peer may prevent ping traffic from passing, but allow NTP (or vice versa):

What did the debug(s) telling you? the Linxuses and Cisco's Windows? obviously did you enable ntp on the appropiate interfaces?

debug ntp packets

( and turn on "term mon" to see what happens on you cisco when finished turn it off --> term no mon & no debug all)

show ntp associations

pin ntp server ip address

debug ntp packet

Goodluck!