Unrestricted Inbound Traffic on Remote Server Administration Ports

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: VPC-017

Check your Amazon VPC Network Access Control Lists (NACLs) for inbound/ingress rules that allow unrestricted traffic (i.e. 0.0.0.0/0) on TCP ports 22 (SSH) and 3389 (RDP) and limit access to trusted IP addresses or IP ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface at the subnet level. TCP port 22 (Secure Shell – SSH) is used for secure remote login by connecting an SSH client application with an SSH server. TCP port 3389 (Remote Desktop Protocol – RDP) is used for secure remote GUI login to Windows VM instances by connecting an RDP client application with an RDP server.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Exposing TCP ports 22 (SSH) and 3389 (RDP) to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM), and brute-force attacks, therefore it is strongly recommended to configure your Network Access Control Lists (NACLs) to limit inbound traffic on remote server administration ports 22 and 3389 to known and trusted IP addresses only.


Audit

To determine if your Network ACLs (NACLs) allow unrestricted inbound traffic on TCP ports 22 and 3389, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL that you want to examine.

05 Choose the Inbound Rules tab from the console bottom panel to access the inbound/ingress rules created for the selected NACL.

06 Check the CIDR value available in the Source column for any ALLOW inbound rules with the Port range set to 22 and/or 3389. If one or more rules with this port configuration have the Source value set to 0.0.0.0/0 (i.e. Anywhere), the selected Network ACL (NACL) allows unrestricted traffic on TCP port 22 and/or 3389, therefore the remote server administration access to the VPC subnets associated with your NACL is not restricted.

07 Repeat steps no. 4 – 6 for other Network ACLs available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) using custom query filters to list the ID of each TCP Network ACL (NACL) available in the selected AWS region:

        aws ec2 describe-network-acls
        --region us-east-1
        --output table
        --query 'NetworkAcls[*].NetworkAclId'
        --filters Name=entry.protocol,Values=6
        

02 The command output should return a table with the requested NACL IDs:

        -------------------------------
        |     DescribeNetworkAcls     |
        +-----------------------------+
        |    acl-0abcd1234abcd1234    |
        |    acl-01234abcd1234abcd    |
        +-----------------------------+
        

03 Run describe-network-acls command (OSX/Linux/UNIX) using an ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list all the inbound ALLOW rules defined for the selected NACL:

        aws ec2 describe-network-acls
        --region us-east-1
        --network-acl-ids acl-0abcd1234abcd1234
        --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []'
        

04 The command output should return the requested rules information:

        [
          {
            "RuleNumber": 100,
            "Protocol": "6",
            "PortRange": {
              "To": 22,
              "From": 22
            },
            "Egress": false,
            "RuleAction": "allow",
            "CidrBlock": "0.0.0.0/0"
          },
          {
            "RuleNumber": 200,
            "Protocol": "6",
            "PortRange": {
              "To": 3389,
              "From": 3389
            },
            "Egress": false,
            "RuleAction": "allow",
            "CidrBlock": "0.0.0.0/0"
          }
        ]
        

Each JSON object returned by the describe-network-acls command output represent an ALLOW rule. Check the "CidrBlock" attribute value for any ALLOW inbound rules with the "PortRange" set to 22 and/or 3389. If one or more rules with this port configuration have the "CidrBlock" value set to "0.0.0.0/0" (i.e. Anywhere), as shown in the output example above, the selected Network ACL (NACL) allows unrestricted traffic on TCP port 22 and/or 3389, therefore the remote server administration access to the VPC subnets associated with your NACL is not restricted.

05 Repeat step no. 3 and 4 for other Network ACLs available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your non-compliant Amazon VPC Network ACLs (NACLs) in order to allow remote server administration access from trusted entities only (i.e. authorized IP addresses and IP ranges), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under SECURITY section, choose Network ACLs.

04 Select the Network ACL (NACL) that you want to reconfigure.

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, perform the following operations:

  1. Choose the ALLOW rule that allows unrestricted traffic on TCP port 22/3389 and change the following attributes:
    • In the Source configuration box, enter the IP address of the authorized host in CIDR notation, e.g. 10.0.0.5/32, or the IP address range of the permitted network/subnetwork in CIDR notation, for example 10.0.5.0/24.
    • Select Allow from the Allow/Deny dropdown list to allow the inbound/ingress traffic from the trusted source configured at the previous step.
  2. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 to reconfigure other Network ACLs that allow unrestricted remote server administration access, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the inbound/ingress rules that allow unrestricted traffic on TCP port 22/3389. The following command example replaces a non-compliant inbound ALLOW rule, identified by the rule number 100, with a compliant (secure) rule that allows access on TCP port 22 (SSH) from a trusted host only (e.g. 10.0.0.5/32), within a Network ACL identified by the ID acl-0abcd1234abcd1234 (the command does not produce an output):

        aws ec2 replace-network-acl-entry
        --region us-east-1
        --network-acl-id acl-0abcd1234abcd1234
        --ingress
        --rule-number 100
        --protocol tcp
        --port-range From=22,To=22
        --cidr-block 10.0.0.5/32
        --rule-action allow
        

02 (Optional) To create additional inbound ALLOW rules for TCP port 22 and/or 3389 within your Network ACL (NACL), run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates an inbound rule with the identification number set to 150, that allows remote server administration access on TCP port 3389 (RDP) to an authorized host only, within a NACL identified by the ID acl-0abcd1234abcd1234 (the command does not return an output):

        aws ec2 create-network-acl-entry
        --region us-east-1
        --network-acl-id acl-0abcd1234abcd1234
        --ingress
        --rule-number 150
        --protocol tcp
        --port-range From=3389,To=3389
        --cidr-block 10.0.0.20/32
        --rule-action allow
        

03 Repeat steps no. 1 and 2 to reconfigure other Network ACLs that allow unrestricted remote server administration access, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jun 29, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Unrestricted Inbound Traffic on Remote Server Administration Ports

Risk level: High