The ntp seems to be operating normally.
"If we are running in authenticated mode, we only trust frames which have
authentication attached, which are validated and which are using one of our trusted keys.
We respond to all other pollers without saving any state. If a host we are passively peering
with changes his key from a trusted one to an untrusted one, we immediately unpeer with him,
reselect the clock and treat him as an unmemorable client.
If a similar event occurs with a configured peer we drop the frame and hope he'll revert to
our key again. If we get a frame which can't be authenticated with the given key, we drop it."
So the server is protected agaist unsyn time by untrusted host peer and if you want the server to drop
ntp packets from other host, you might try putting a key at the end of the ntp server
statement.
ntp server 192.168.1.1 key 1
Hopefully the ntp master would drop any frame from
any host that has the right key but not authenticating.