iCompaas Support

Profile Applicability: 

Level 2

Description

TCP ports 20 and 21 are used for FTP (File Transfer Protocol) to transfer files over a network. Allowing unrestricted inbound access to these ports from 0.0.0.0/0 (IPv4) or ::/0 (IPv6) exposes EC2 instances to unauthorized access attempts, brute-force attacks, and potential data theft. Restricting access to these ports enhances the security of EC2 instances and prevents misuse of FTP services.

Rationale

• Enhanced Security: Prevents unauthorized access to FTP services.

• Risk Mitigation: Reduces vulnerabilities to brute-force attacks and data theft.

• Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

• Protects sensitive data transferred via FTP from unauthorized access.

• Minimizes the risk of brute-force attacks on FTP services.

• Enhances compliance with security and operational standards.

Cons:

• May disrupt legitimate FTP workflows if not properly reconfigured.

• Requires the use of secure alternatives such as SFTP (SSH File Transfer Protocol).

Default Value

By default, security groups may allow unrestricted access to ports 20 and 21 unless explicitly restricted.

Pre-Requisite

IAM Permissions:

• ec2:DescribeSecurityGroups

• ec2:RevokeSecurityGroupIngress

• AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the EC2 Dashboard.

3. Go to the Security Groups tab.

4. Identify security groups allowing ingress to ports 20 or 21 from 0.0.0.0/0 or ::/0.                             

Using AWS CLI:

Identify Ingress Rules Allowing Public Access:

aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?FromPort==`20` || FromPort==`21` && (contains(IpRanges[].CidrIp, '0.0.0.0/0') || contains(Ipv6Ranges[].CidrIpv6, '::/0'))]"

Implementation Steps: 

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the EC2 Dashboard.

3. Go to the Security Groups tab.

4. Identify security groups with rules allowing ingress to ports 20 or 21

5. Edit the security groups:

   • Go to the Inbound rules Section

• Click on Edit Inbound rules Option

• Remove the rules allowing ingress from 0.0.0.0/0 or ::/0.

• Restrict access to trusted IP ranges, or remove the rule entirely if FTP is not required.

6. Save the changes.

Using AWS CLI:

Revoke Insecure Ingress Rules:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr ::/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr ::/0

Add Secure Rules for Specific IP Ranges (if FTP access is necessary):

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr <trusted-cidr>
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr <trusted-cidr>

Backout Plan:

Using AWS Console:

1. Re-enable access by adding specific ingress rules as needed for trusted IP ranges.

2. Monitor and document the access for compliance and security purposes.

Using AWS CLI:

Restore Required Access:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr <specific-cidr>
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr <specific-cidr>

References:

• AWS Security Best Practices for EC2

• Securing FTP Traffic

• AWS CLI - Security Group Rules

CIS Controls: