Cisco Support Community
Community Member

Disable NTP Readvar Queries

We have a vulnerability that requires we "disable NTP readvar queries" on a Cisco ASR with IOS v15.1.

Not sure how to go about this. The report recommends that we add "restrict default mask noquery" to the file: /etc/ntp.conf.

We can't find this file (/etc/ntp.conf) on the Cisco ASR router.

Will appreciate some help. Thanks in advance.

Community Member

I know this is a 3 month old

I know this is a 3 month old post BUT, I got the same report from our security office.  The remidation steps apply to linux hosts, not really to routers.  I just restricted NTP to only the NTP servers we use.  I created an acl with the hosts in it then used ntp access-group peer ACL.  That should stop it from responding to queries or control from NTP servers other than the ones in the ACL and sync time with them.

Community Member

Thank you for your advice, it

Thank you for your advice, it worked like a charm and the vulnerability is gone.

CreatePlease to create content