Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unrestricted Inbound Traffic on Remote Server Administration Ports

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VPC-017

Check your Amazon VPC Network Access Control Lists (NACLs) for inbound/ingress rules that allow unrestricted traffic (i.e. 0.0.0.0/0) on TCP ports 22 (SSH) and 3389 (RDP) and limit access to trusted IP addresses or IP ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface at the subnet level. TCP port 22 (Secure Shell – SSH) is used for secure remote login by connecting an SSH client application with an SSH server. TCP port 3389 (Remote Desktop Protocol – RDP) is used for secure remote GUI login to Windows VM instances by connecting an RDP client application with an RDP server.

This rule can help you with the following compliance standards:

  • CISAWSF

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Exposing TCP ports 22 (SSH) and 3389 (RDP) to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM), and brute-force attacks, therefore it is strongly recommended to configure your Network Access Control Lists (NACLs) to limit inbound traffic on remote server administration ports 22 and 3389 to known and trusted IP addresses only.

Audit

To determine if your Network ACLs (NACLs) allow unrestricted inbound traffic on TCP ports 22 and 3389, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL (NACL) that you want to examine.

05 Choose the Inbound rules tab from the console bottom panel to access the inbound/ingress rules created for the selected NACL.

06 Check the CIDR value available in the Source column for any ALLOW inbound rules with the Port range set to 22 and/or 3389. If one or more rules with this port configuration have the Source value set to 0.0.0.0/0 (i.e. Anywhere), the selected Network ACL (NACL) allows unrestricted traffic on TCP port 22 and/or 3389, therefore the remote server administration access to the VPC subnets associated with your NACL is not restricted.

07 Repeat steps no. 4 – 6 for other Network ACLs available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-network-acls command (OSX/Linux/UNIX) with custom query filters to list the ID of each Network ACL (NACL) available in the selected AWS region: 

aws ec2 describe-network-acls
  --region us-east-1
  --output table
  --query 'NetworkAcls[*].NetworkAclId'

02 The command output should return a table with the requested NACL IDs: 

-------------------------------
|     DescribeNetworkAcls     |
+-----------------------------+
|    acl-0abcd1234abcd1234    |
|    acl-01234abcd1234abcd    |
+-----------------------------+

03 Run describe-network-acls command (OSX/Linux/UNIX) using the ID of the Network ACL that you want to examine as the identifier parameter and custom filtering to list all the inbound ALLOW rules defined for the selected NACL: 

aws ec2 describe-network-acls
  --region us-east-1
  --network-acl-ids acl-0abcd1234abcd1234
  --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []'

04 The command output should return the ALLOW rule(s) configured for inbound traffic: 

[
    {
        "RuleNumber": 100,
        "Protocol": "6",
        "PortRange": {
            "To": 22,
            "From": 22
        },
        "Egress": false,
        "RuleAction": "allow",
        "CidrBlock": "0.0.0.0/0"
    },
    {
        "RuleNumber": 200,
        "Protocol": "6",
        "PortRange": {
            "To": 3389,
            "From": 3389
        },
        "Egress": false,
        "RuleAction": "allow",
        "CidrBlock": "0.0.0.0/0"
    }
]

Each JSON object returned by the describe-network-acls command output represents an ALLOW rule. Check the "CidrBlock" attribute value for any ALLOW inbound rules with the "PortRange" set to 22 and/or 3389. If one or more rules with this port configuration have the "CidrBlock" value set to "0.0.0.0/0" (i.e. Anywhere), as shown in the output example above, the selected Network ACL (NACL) allows unrestricted traffic on TCP port 22 and/or 3389, therefore the remote server administration access to the VPC subnets associated with your NACL is not restricted.

05 Repeat steps no. 3 and 4 for other Network ACLs available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your non-compliant Amazon VPC Network ACLs (NACLs) in order to allow remote server administration access from trusted entities only (i.e. authorized IP addresses and IP ranges), perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Allow Remote Server Admin Access (SSH and RDP Access) from Trusted Entities Only",
  "Resources": {
    "AWSVPCNetwork": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default"
      }
    },
    "VPCNetworkACL": {
        "Type": "AWS::EC2::NetworkAcl",
        "Properties": {
            "VpcId": {
              "Ref": "AWSVPCNetwork"
            }
        }
    },
    "SSHAccessInboundRule": {
        "Type": "AWS::EC2::NetworkAclEntry",
        "Properties": {
            "NetworkAclId": {
                "Ref": "VPCNetworkACL"
            },
            "RuleNumber": 100,
            "Protocol": 6,
            "RuleAction": "allow",
            "CidrBlock": "10.0.0.5/32",
            "PortRange": {
                "From": 22,
                "To": 22
            }
        }
    },
    "RDPAccessInboundRule": {
        "Type": "AWS::EC2::NetworkAclEntry",
        "Properties": {
            "NetworkAclId": {
                "Ref": "VPCNetworkACL"
            },
            "RuleNumber": 200,
            "Protocol": 6,
            "RuleAction": "allow",
            "CidrBlock": "10.0.0.20/32",
            "PortRange": {
                "From": 3389,
                "To": 3389
            }
        }
    }
  }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Allow Remote Server Admin Access (SSH and RDP Access) from Trusted Entities Only
Resources:
  AWSVPCNetwork:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
  VPCNetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref 'AWSVPCNetwork'
  SSHAccessInboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref 'VPCNetworkACL'
      RuleNumber: 100
      Protocol: 6
      RuleAction: allow
      CidrBlock: 10.0.0.5/32
      PortRange:
        From: 22
        To: 22
  RDPAccessInboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref 'VPCNetworkACL'
      RuleNumber: 200
      Protocol: 6
      RuleAction: allow
      CidrBlock: 10.0.0.20/32
      PortRange:
        From: 3389
        To: 3389

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
  instance_tenancy = "default"
}

resource "aws_network_acl" "vpc-network-acl" {
  vpc_id = aws_vpc.aws-vpc-network.id
}

# Allow Remote Server Admin Access (SSH and RDP Access) from Trusted Entities Only
resource "aws_network_acl_rule" "ssh-access-inbound-rule" {
  network_acl_id = aws_network_acl.vpc-network-acl.id
  rule_number    = 100
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "10.0.0.5/32"
  from_port      = 22
  to_port        = 22
}

resource "aws_network_acl_rule" "rdp-access-inbound-rule" {
  network_acl_id = aws_network_acl.vpc-network-acl.id
  rule_number    = 200
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "10.0.0.20/32"
  from_port      = 3389
  to_port        = 3389
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under SECURITY, choose Network ACLs.

04 Select the Network ACL (NACL) that you want to reconfigure.

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, perform the following operations:

  1. Choose the ALLOW rule that allows unrestricted traffic on TCP port 22/3389 and change the following attributes:
    • In the Source configuration box, enter the IP address of the authorized host in CIDR notation, e.g. 10.0.0.5/32, or the IP address range of the permitted network/subnetwork in CIDR notation, for example 10.5.0.0/24.
    • Select Allow from the Allow/Deny dropdown list to allow the inbound/ingress traffic from the trusted source configured at the previous step.
  2. Choose Save changes to apply the changes.

07 Repeat steps no. 4 – 6 to reconfigure other Network ACLs that allow unrestricted remote server administration access, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run replace-network-acl-entry command (OSX/Linux/UNIX) to replace the inbound/ingress rules that allow unrestricted traffic on TCP port 22/3389. The following command example replaces a non-compliant inbound ALLOW rule, identified by the rule number 100, with a compliant (secure) rule that allows access on TCP port 22 (SSH) from a trusted host only (e.g. 10.0.0.5/32), within a Network ACL identified by the ID acl-0abcd1234abcd1234 (the command does not produce an output): 

aws ec2 replace-network-acl-entry
  --region us-east-1
  --network-acl-id acl-0abcd1234abcd1234
  --ingress
  --rule-number 100
  --protocol tcp
  --port-range From=22,To=22
  --cidr-block 10.0.0.5/32
  --rule-action allow

02 (Optional) To create additional inbound ALLOW rules for TCP port 22 and/or 3389 within your Network ACL (NACL), run create-network-acl-entry command (OSX/Linux/UNIX). The following command example creates an inbound rule with the identification number set to 200, that allows remote server administration access on TCP port 3389 (RDP) to an authorized host only, within a NACL identified by the ID acl-0abcd1234abcd1234 (the command does not return an output): 

aws ec2 create-network-acl-entry
  --region us-east-1
  --network-acl-id acl-0abcd1234abcd1234
  --ingress
  --rule-number 200
  --protocol tcp
  --port-range From=3389,To=3389
  --cidr-block 10.0.0.20/32
  --rule-action allow

03 Repeat steps no. 1 and 2 to reconfigure other Network ACLs that allow unrestricted remote server administration access, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.

References

Publication date Jun 29, 2021

Related VPC rules