Cisco Support Community
Community Member

Locking Down NTP

We got an email stating one of our Cisco routers was an open NTP server.

The router only needs to be able to sync its time with a internet based time server. It does not need to serve its time to anyone else. So I did the following:

access-list 30 permit

access-list 30 deny any

access-list 40 deny any

ntp access-group peer 30

ntp access-group serve-only 40

ntp access-group query-only 40

ntp server

Now I can see heaps of hits against the deny entry. However when I use an online tool like: It can still see my NTP server details (exactly the same amoutn as if I remove the access-groups), which means it must be repsonding to the NTP query. I don't have an access-list on my outside interface so would prefer not to do it that way. But have I done enough to block the NTP securty risk?

Community Member

Locking Down NTP

Just had them retest, they are saying the NTP server is still open.

Community Member

Re: Locking Down NTP


is this IOS XE running on the router in question? I've got a similar problem with 4500Xs running IOS XE and configured with just an access-group peer statement actually responding to ntpq -p, while it isn't responding to regular time queries (ntpdate -d). That's apparently a bug, given the ACL in question counts these queries on the deny all ACE, but answers come back anyway. My thread didn't get replies so far, just one me too vote.



Re: Locking Down NTP


The below config helped me resolving similar issue raised by our external pen testing firm....


access-list 30 remark PUBLIC NTP SERVERS

access-list 30 permit x.x.x.x

access-list 30 permit y.y.y.y


ntp access-group peer 30

ntp max-associations 2

ntp server x.x.x.x

ntp server y.y.y.y




Community Member

Re: Locking Down NTP

MS, My config was exact the same as yours except I had deny anys at th ebototm of my ACL's, rem oved those and still the same thing.

Can you try tetsing it yourself? if you go to this website and put in your IP address, you should get no reply. However I am still seeing all my NTP information being able to be retrived even though that website is not in the permitted ACL.

Andre, this is not XE, its IOS 15.2 does seem like a bug. 

I just tested this the other way:

Extended IP access list 100

    permit ip host any

    deny udp any any eq ntp (45 matches)

    permit ip any any (2276 matches)

and put that on the outside interface. Now the NTP internet test cannot query the NTP. So i believe this is a bug with the NTP access-group command. it doesn't seem to have any effect.

Would be good for an official word on this, putting an ACL on the outside interface is not an ideal solution.

Community Member

Locking Down NTP

Well here we go, this is the issue:

IOS bug!!

fixed in 15.4

CreatePlease to create content