We got an email stating one of our Cisco routers was an open NTP server.
The router only needs to be able to sync its time with a internet based time server. It does not need to serve its time to anyone else. So I did the following:
access-list 30 permit 188.8.131.52 0.0.0.0
access-list 30 deny any
access-list 40 deny any
ntp access-group peer 30
ntp access-group serve-only 40
ntp access-group query-only 40
ntp server 184.108.40.206
Now I can see heaps of hits against the deny entry. However when I use an online tool like:
http://keetweej.vanheusden.com/query_ntp.php It can still see my NTP server details (exactly the same amoutn as if I remove the access-groups), which means it must be repsonding to the NTP query. I don't have an access-list on my outside interface so would prefer not to do it that way. But have I done enough to block the NTP securty risk?
is this IOS XE running on the router in question? I've got a similar problem with 4500Xs running IOS XE and configured with just an access-group peer statement actually responding to ntpq -p, while it isn't responding to regular time queries (ntpdate -d). That's apparently a bug, given the ACL in question counts these queries on the deny all ACE, but answers come back anyway. My thread didn't get replies so far, just one me too vote.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.