Profile Applicability: 

Level 2

Description

Telnet, which uses TCP port 23, is an outdated protocol with known vulnerabilities as it transmits data, including credentials, in plaintext. Allowing unrestricted inbound access to port 23 from the internet (0.0.0.0/0 for IPv4 or ::/0 for IPv6) exposes instances to potential attacks, including unauthorized access and data interception. Disabling public access to Telnet ensures secure configurations and reduces security risks.

Rationale

  • Enhanced Security: Reduces the attack surface by preventing unauthorized access to Telnet.

  • Risk Mitigation: Protects against potential exploits and security vulnerabilities of Telnet.

  • Compliance: Aligns with modern security practices and regulatory requirements.

Impact

Pros:

  • Reduces the risk of unauthorized access and data breaches.

  • Enhances overall security posture by closing an insecure protocol.

  • Aligns with compliance standards and security best practices.

Cons:

  • May disrupt legitimate Telnet-based workflows, requiring secure alternatives like SSH.

  • Requires configuration changes that may initially inconvenience legacy systems.

Default Value

By default, security groups can allow unrestricted access to port 23 unless explicitly configured to restrict access.

Pre-Requisite

IAM Permissions:

  • ec2:DescribeSecurityGroups

  • ec2:RevokeSecurityGroupIngress

  • AWS CLI installed and configured.

Remediation

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Go to the Security Groups tab.

  4. Identify security groups allowing ingress to port 23 from 0.0.0.0/0 or ::/0.

Using AWS CLI:

Identify Ingress Rules Allowing Public Access:

aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?FromPort==`23` && (contains(IpRanges[].CidrIp, '0.0.0.0/0') || contains(Ipv6Ranges[].CidrIpv6, '::/0'))]"

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Go to the Security Groups tab.

  4. Identify security groups with rules allowing ingress to port 23.

  5. Edit the security groups:

    • Remove the rule allowing ingress from 0.0.0.0/0 or ::/0.

    • Restrict access to trusted IP ranges, or remove the rule entirely if Telnet is not required.

  6. Save the changes.

Using AWS CLI:

Revoke Insecure Ingress Rules:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 23 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 23 --cidr ::/0
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 23 --cidr <trusted-cidr>


Backout Plan

If revoking access to port 23 causes issues: Using AWS Console:

  1. Re-enable access by adding specific ingress rules as needed.

  2. Document and monitor any new rules added.

Using AWS CLI:

Restore Required Access:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 23 --cidr <specific-cidr>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like disabling unnecessary ingress rules.