Skip to main content

lacework-global-215

Security groups should not allow unrestricted access to ports with high risk (Automated)

Description

This policy checks for security groups allowing unrestricted ingress to specified high-risk ports. A security group is non-compliant with this policy if any of the inbound rules allow traffic from '0.0.0.0/0' or '::/0' for those ports. Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data. Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports (all using TCP protocol, except where noted):

  • 20, 21 (File Transfer Protocol (FTP))
  • 22 (SSH)
  • 23 (Telnet)
  • 25 (Simple Mail Transfer Protocol (SMTP))
  • 110 (POP3)
  • 135 (Remote Procedure Call (RPC))
  • 143 (Internet Message Access Protocol (IMAP))
  • 445 (Common Internet File System (CIFS))/Server Message Block (SMB))
  • 1433 (Transmission Control Protocol (TCP) - Microsoft SQL Server (MSSQL))
  • 1434 (User Datagram Protocol (UDP) - MSSQL)
  • 3000 (Go, Node.js, and Ruby web development frameworks)
  • 3306 (MySQL/MariaDB)
  • 3389 (Remote Desktop Protocol (RDP))
  • 4333 (ahsp)
  • 5000 (Python web development frameworks)
  • 5432 (postgresql)
  • 5500 (fcp-addr-srvr1)
  • 5601 (OpenSearch Dashboards/Kibana)
  • 8080 (proxy)
  • 8088 (legacy HTTP port)
  • 8888 (alternative HTTP port)
  • 9200 or 9300 (OpenSearch)

Remediation

  1. Log in to the AWS Management Console and select EC2 from services.
  2. Choose Security Groups under Network & Security in the navigation pane.
  3. Select the security group, and choose Actions -> Edit inbound rules.
  4. For each rule with unrestricted access, update the source to be more restrictive or delete the rule entirely.
  5. Click Preview changes, confirm the changes and then click Save rules.
  6. Repeat steps 3-5 for each security group with unrestricted ingress to any of the listed ports.

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-19

Last updated on