Azure Introduction
Azure Pricing
Azure Threats
Unrestricted FTP Access To Port 20
More Info:
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP ports 20 and 21 in order to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs. TCP ports 20 and 21 are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications.
Risk Level
High
Address
Security
Compliance Standards
GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate unrestricted FTP access to Port 20 in Azure, follow these steps:
-
Open the Azure portal and navigate to the Virtual Machine (VM) that has unrestricted FTP access to Port 20.
-
Stop the VM by clicking on the “Stop” button at the top of the VM’s overview page.
-
Once the VM is stopped, click on the “Networking” tab in the left-hand menu.
-
Click on the “Add inbound port rule” button.
-
In the “Add inbound security rule” dialog, configure the following settings:
- Name: A descriptive name for the new rule.
- Priority: A number that determines the order in which rules are evaluated (lower numbers are evaluated first).
- Source: The IP address range or subnet that should be allowed to access Port 20. If you want to restrict access to a specific IP address, enter that IP address in the “Source IP addresses/CIDR ranges” field.
- Destination port ranges: Enter “20” to restrict access to Port 20.
- Protocol: Select “TCP” from the dropdown menu.
- Action: Select “Allow” from the dropdown menu.
-
Click on the “Add” button to create the new inbound security rule.
-
Start the VM by clicking on the “Start” button at the top of the VM’s overview page.
By following these steps, you have remediated the unrestricted FTP access to Port 20 in Azure by restricting access to only the IP address range or subnet that should be allowed to access Port 20.
To remediate the unrestricted FTP access to port 20 misconfiguration in Azure using Azure CLI, you can follow the following steps:
-
Open the Azure CLI and login to your Azure account using the command
az login
. -
Once you are logged in, run the following command to get the list of all the virtual machines in your Azure subscription:
az vm list --query "[].{name:name, resourceGroup:resourceGroup}"
-
Identify the virtual machine that has unrestricted FTP access to port 20 and note down its name and resource group.
-
Run the following command to open port 20 for FTP traffic on the identified virtual machine:
az vm open-port --port 20 --resource-group <resource-group-name> --name <vm-name> --priority 1001
Note: Replace
<resource-group-name>
and<vm-name>
with the actual names of the resource group and virtual machine that you have identified. -
Verify that the port 20 is now open for FTP traffic on the virtual machine by running the following command:
az vm show --resource-group <resource-group-name> --name <vm-name> --query "networkProfile.networkInterfaces[].ipConfigurations[].openPorts"
This command should return the list of all the open ports on the virtual machine, including port 20 for FTP traffic.
-
Repeat the above steps for all the virtual machines in your Azure subscription that have unrestricted FTP access to port 20.
By following the above steps, you can remediate the unrestricted FTP access to port 20 misconfiguration in Azure using Azure CLI.
To remediate the unrestricted FTP access to port 20 in Azure using Python, you can follow the below steps:
- Identify the Azure virtual machine(s) that have unrestricted FTP access to port 20.
- Use the Python SDK for Azure to create a network security group (NSG) for the virtual machine(s) that allows FTP access only from a specific IP address or range.
- Associate the NSG with the virtual machine(s) that have unrestricted FTP access to port 20.
- Verify that the NSG is working as expected by testing FTP access from a different IP address.
Here is an example Python code to create a network security group and associate it with a virtual machine in Azure:
from azure.mgmt.network import NetworkManagementClient
from azure.common.credentials import ServicePrincipalCredentials
# Set your Azure subscription ID, client ID, secret, and tenant ID
subscription_id = 'your_subscription_id'
client_id = 'your_client_id'
secret = 'your_secret'
tenant = 'your_tenant_id'
# Set the resource group and virtual machine name
resource_group_name = 'your_resource_group_name'
vm_name = 'your_virtual_machine_name'
# Set the IP address or range that is allowed to access FTP
ftp_ip_address = 'your_ftp_ip_address'
# Authenticate with Azure using a service principal
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=secret,
tenant=tenant
)
# Create a network security group
network_client = NetworkManagementClient(credentials, subscription_id)
nsg_params = {
'location': 'your_location',
'security_rules': [
{
'name': 'FTP',
'protocol': 'Tcp',
'source_port_range': '*',
'destination_port_range': '20',
'source_address_prefix': ftp_ip_address,
'destination_address_prefix': '*',
'access': 'Allow',
'priority': 100,
'direction': 'Inbound'
}
]
}
nsg = network_client.network_security_groups.create_or_update(
resource_group_name,
'FTP-NSG',
nsg_params
)
# Associate the network security group with the virtual machine
vm = network_client.virtual_machines.get(
resource_group_name,
vm_name
)
vm.network_profile.network_interfaces[0].network_security_group = nsg
network_client.virtual_machines.create_or_update(
resource_group_name,
vm_name,
vm
)
This code creates a network security group that allows FTP access only from the specified IP address or range, and associates it with the virtual machine. You can customize the code to meet your specific requirements.