VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)¶
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 23. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.
Console Remediation Steps¶
Navigate to VPC.
In the left navigation, select Security Groups.
For each security group, perform the steps described below.
Select the Security Group, click the Inbound Rules tab, and and click Edit rules.
Remove any rule that includes port 23 and has a source of 0.0.0.0/0.
CLI Remediation Steps¶
Remove the inbound rule(s) that permits unrestricted ingress to TCP port 23 from the selected Security Group:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 23 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 23 --cidr <cidr_block>