Sensitive Port Is Exposed To Entire Network
Sensitive legacy ports like Telnet or POP3 should not be open to broad networks.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Remove NSG rules allowing legacy or unencrypted protocols on broad scopes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_network_security_group" "good_example" {
name = "good-security-group"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
security_rule {
name = "HTTP"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "8080"
source_address_prefix = "10.0.0.0/8" # Restricted source
destination_address_prefix = "*"
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_network_security_group" "good_example2" {
name = "good-security-group"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
security_rule {
name = "SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "192.168.1.0/24" # Restricted to specific network
destination_address_prefix = "*"
}
}
|
Links