VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)¶
Description¶
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB). Removing unfettered connectivity to CIFS / SMB ports reduces a server’s exposure to risk.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation pane, click Security Groups.
Remove any rules that include port 3020 and have a source of 0.0.0.0/0.
Click Save.
AWS CLI¶
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the inbound rule(s) that permits unrestricted ingress to port 3020:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 3020 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 3020 --cidr <cidr_block>
Terraform¶
Ensure that an aws_security_group
ingress
block does NOT contain both of the following:A
0.0.0.0/0
in thecidr_blocks
field3020
is within the port range defined fromfrom_port
toto_port
, ORfrom_port
andto_port
are both set to0
Example Configuration¶
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 3020
to_port = 3020
# other required fields here
}
}