Ensure that Telnet (TCP:23) is restricted from the Internet
Disable Telnet (TCP:23) access on network security groups from the Internet.
Risk Level: High
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.51
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
NetworkSecurityGroup should not have inboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=23 and destinationPortTo>=23 ] and protocol in('TCP', 'All') and action='ALLOW' and sourceAddressPrefixes contain [ '0.0.0.0/0' ] ]
REMEDIATION
Azure Console:
- Navigate to the 'All services'
- Navigate to the Networking, and select 'Network security groups'
- Select the Network security group to be modified
- Under Settings, select 'Inbound security rules'
- Select the rule to be modified and edit it to allow only specific IP addresses or protocols
From TF
resource "azurerm_network_security_group" "test" {
security_rule {
- destination_port_ranges= ["23",]
- protocol = "Tcp"
- access = "Allow"
- source_port_range = "*"
}
}
References
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
Network security group
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
Compliance Frameworks
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago