We had an external scan on our IP ranges and some of our network equipment got flagged for some security issues.
Log from the scan:
Port ntp (123/udp)
NTP read variables
An NTP server is listening on the remote host.
An NTP (Network Time Protocol) server is listening on this port.
It provides information about the current date and time of the
remote system and may provide system information.
Risk factor :
Now, the risk factor is none, but they still want me to have a look.
I have only configure this in our router.
ntp clock-period 17180157
ntp peer 10.10.10.10
ntp server 192.xxx.x.xxx
ntp server 193.xxx.x.xxx
ntp server 193.xxx.x.xxx
Is there anything else that I can do to just prevent extern scans for finding out my open ntp port on the router?
Will it even help if i do an "ntp access-group" setup? Or will external sources still see my open NTP server on my router?
Or is there some other tip out there for this?
You can set up an acl and allow only your servers that you're querying access to it.
ip access-list ext OUTSIDE
permit udp host
int fa4 (outside interface)
ip access-group OUTSIDE in
To increase the security of NTP you should use NTP authentication. That would need also to be enabled on the server also, and this may not be an option if the servers are not under your control. NTP authentication will however not stop your router from responding to port scans on this port. Enabling access-lists next to NTP authhentication that will take care of port scans as all NTP packets from sources you do not permit will be silently discarded.
An interesting source for all things security on a Cisco router can be found on the website of the NSA: http://www.nsa.gov/snac/routers/C4-040R-02.pdf
John has suggested one approach using access lists and access-group to apply the access list on an interface. And it would effectively prevent other machines from seeing NTP activity on your router. If you already have an access list assigned on the interface it would be easy to incorporate this logic into it.
There is another approach to securing NTP and it would not involve an access list looking at every packet going through an interface but would only act on traffic to the router for NTP. You can use ntp access-group to secure NTP traffic and only allow NTP from addresses that you specify. There is an ntp access-group peer which uses a standard access list to control to whom you look to learn NTP (would be both ntp server and ntp peer addresses) and there is an ntp access-group serve-only which uses a standard access list to control to whom you will offer NTP (your ntp peer and any other machines that look to this router for ntp). This is a more targeted approach to securing NTP than using access lists applied to interfaces. Conceptually it is similar to the way that you can use access-class under the VTY to control who can access the router remotely as a more efficient solution that using access lists on interfaces to control telnet or ssh access packets.
Thanks for all the help!
Rick, a follow up question regarding NTP access-groups.
Even if I used ntp access-groups, would outside scans still reveal my open NTP port in the summary?
I have a language problem when trying to figure out what the command option "serve" means.
Is it the same as NTP server
" 1. peer-Allows time requests and NTP control queries and allows the switch to synchronize itself to a device whose address passes the access list criteria.
2. serve-Allows time requests and NTP control queries, but does not allow the switch to synchronize itself to a device whose address passes the access list criteria.
3. serve-only-Allows only time requests from a device whose address passes the access list criteria.
4. query-only-Allows only NTP control queries from a device whose address passes the access list criteria. "
Thanks so much!
I do not know how the scan identifies active or listening ports. Does it send a packet on that port and listen for a response? In that case I would think that the ntp access-group would prevent the scan from reporting your router. Or does the scan send a packet on that port and listen for the "port unreachable" response? In that case I am not clear whether the ntp access-group would prevent your router being listed or not.
I agree that the language is difficult to understand. In my experience any address that you have configured in ntp server
Here is a sample config on how to secure your router. Replace x.x.x.x with your public IP range on your inside interface of your router.
access-list 10 permit x.x.x.x 0.0.0.255
access-list 10 deny any
access-list 11 permit 184.108.40.206
access-list 11 permit 220.127.116.11
ntp access-group peer 11
ntp access-group serve-only 10
ntp master 3
ntp server 18.104.22.168
ntp server 22.214.171.124 prefer
It is my understanding that if you have ntp master configured, you must also have peer access to source 127.127.7.1. The NTP master command creates 127.127.7.1, to which the local router synchronises to.