Wired Intelligent Edge (Campus Switching and Routing)

HPE 1920 Switch: Vulnerability NTP Mode 6 Scanner Error Message

MVP
MVP
Problem:

Vulnerability NTP mode 6 scanner error message 



Diagnostics:

Device: HPE 1920 Switch JG927A  
Firmware : 5.20.99 Release 1120



Solution

Configure NTP access control

You can control NTP access by using an ACL. The access rights are in the following order, from least restrictive to most restrictive:

Peer—Allows time requests and NTP control queries (such as alarms, authentication status, and time server information) and allows the local device to synchronize itself to a peer device.

Server—Allows time requests and NTP control queries, but does not allow the local device to synchronize itself to a peer device.

Synchronization—Allows only time requests from a system whose address passes the access list criteria.

Query—Allows only NTP control queries from a peer device to the local device.

 

The device processes an NTP request, as follows:

·           If no NTP access control is configured, peer is granted to the local device and peer devices.

·           If the IP address of the peer device matches a permit statement in an ACL for more than one access right, the least restrictive access right is granted to the peer device.  If a deny statement or no ACL is matched, no access right is granted.

·           If no ACL is created for a specific access right, the associated access right is not granted.

·           If no ACL is created for any access right, peer is granted.

This feature provides minimal security for a system running NTP. A more secure method is NTP authentication.

Example ACL: ACL to allow only specific network to syn with NTP . 

acl number 2001
rule 0 permit source 192.168.1.0 0.0.0.255
 rule 5 deny source any 

ntp-service access synchronization 2001


NTP authentication configuration:

# Enable the NTP service.
<DeviceB> system-view
[DeviceB] ntp-service enable

# Enable NTP authentication on Device B.
[DeviceB] ntp-service authentication enable

# Set an authentication key, and input the key in plain text.
[DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 simple aNiceKey

# Specify the key as a trusted key.
[DeviceB] ntp-service reliable authentication-keyid 42

# Specify Device A as the NTP server of Device B, and associate the server with key 42.
[DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42

Version history
Revision #:
1 of 1
Last update:
‎05-01-2019 08:12 AM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: