Profile Applicability:
- Level 1
Description:
This check ensures that no EC2 instances have security group rules that allow inbound traffic from the internet (0.0.0.0/0) to TCP port 23, which is commonly used by Telnet. Allowing ingress to this port from the internet poses a significant security risk.
Rationale:
Restricting access to TCP port 23 helps to protect instances from unauthorized access and potential exploitation. Telnet is an outdated and insecure protocol, and it is highly recommended to avoid using it in favor of secure alternatives like SSH.
Impact:
Positive Impact: Improved security by preventing unauthorized access to instances via Telnet.
Negative Impact: Potential disruption for services or applications that rely on public access to Telnet. Alternatives for secure access must be implemented.
Default Value:
By default, security groups do not allow inbound traffic to TCP port 23 from the internet. However, explicit security group rules may have been added.
Pre-Requisite:
IAM Permissions: Ensure necessary permissions to view and modify security group rules.
AWS Services: EC2, Security Groups
Tools Required: AWS Management Console, AWS CLI
Remediation:
Test plan:
Using AWS Console:
Log in to the AWS Management Console.
Go to the EC2 console.
In the left navigation pane, choose Security Groups.
Search for security groups that allow inbound access to TCP port 23.
Select each security group and click Edit inbound rules.
Remove any rule that allows access from 0.0.0.0/0 to TCP port 23.
Click Save rules to apply the changes.
Using AWS CLI:
List Security Groups: Retrieve all security groups and their inbound rules:
aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName,Rules:IpPermissions}" --output json > /tmp/security-groups.jsonIdentify Groups with Port 23: Filter for security groups allowing ingress on TCP port 23 from the internet:
jq '.[] | select(.Rules[]? | select(.FromPort == 23 and .IpRanges[]? | select(.CidrIp == "0.0.0.0/0")))' /tmp/security-groups.json > /tmp/insecure-groups.json
Remove Ingress Rule: For each identified security group, remove the rule allowing access from 0.0.0.0/0 to TCP port 23
SECURITY_GROUP_IDS=$(jq -r '.[].ID' /tmp/insecure-groups.json) for SG_ID in $SECURITY_GROUP_IDS; d aws ec2 revoke-security-group-ingress --group-id $SG_ID --protocol tcp --port 23 --cidr 0.0.0.0/0
Implementation:
Using AWS Console:
Sign In: Log in to the AWS Management Console.
Navigate to EC2: Go to the EC2 console.
Select Security Groups: In the left navigation pane, choose Security Groups.
Filter by Port: Search for security groups that allow inbound access to TCP port 23.
Edit Inbound Rules: Select each security group and click Edit inbound rules.
Remove Ingress Rule: Remove any rule that allows access from 0.0.0.0/0 to TCP port 23.
Save Changes: Click Save rules to apply the changes.
Using AWS CLI:
List Security Groups: Retrieve all security groups and their inbound rules:
aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName,Rules:IpPermissions}" --output json > /tmp/security-groups.jsonIdentify Groups with Port 23: Filter for security groups allowing ingress on TCP port 23 from the internet:jq '.[] |
select(.Rules[]? | select(.FromPort == 23 and .IpRanges[]? | select(.CidrIp == "0.0.0.0/0")))' /tmp/security-groups.json > /tmp/insecure-groups.json
Remove Ingress Rule: For each identified security group, remove the rule allowing access from 0.0.0.0/0 to TCP port 23:
SECURITY_GROUP_IDS=$(jq -r '.[].ID' /tmp/insecure-groups.json)
for SG_ID in $SECURITY_GROUP_IDS; do
aws ec2 revoke-security-group-ingress --group-id $SG_ID --protocol tcp --port 23 --cidr 0.0.0.0/0
doneBackout Plan:
Revert Ingress Rules:
If issues arise after removing the ingress rules, re-add the rules allowing access to TCP port 23 from trusted IP ranges only.
Restore Configuration:
Use saved security group configurations to reapply previous settings if needed
aws ec2 authorize-security-group-ingress --group-id <GroupId> --protocol tcp --port 23 --cidr <TrustedIpRange>