More Info:

Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP ports 20 and 21 in order to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs. TCP ports 20 and 21 are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications.

Risk Level

High

Address

Security

Compliance Standards

GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

To remediate unrestricted FTP access to Port 20 in Azure, follow these steps:

  1. Open the Azure portal and navigate to the Virtual Machine (VM) that has unrestricted FTP access to Port 20.

  2. Stop the VM by clicking on the “Stop” button at the top of the VM’s overview page.

  3. Once the VM is stopped, click on the “Networking” tab in the left-hand menu.

  4. Click on the “Add inbound port rule” button.

  5. In the “Add inbound security rule” dialog, configure the following settings:

  • Name: A descriptive name for the new rule.
  • Priority: A number that determines the order in which rules are evaluated (lower numbers are evaluated first).
  • Source: The IP address range or subnet that should be allowed to access Port 20. If you want to restrict access to a specific IP address, enter that IP address in the “Source IP addresses/CIDR ranges” field.
  • Destination port ranges: Enter “20” to restrict access to Port 20.
  • Protocol: Select “TCP” from the dropdown menu.
  • Action: Select “Allow” from the dropdown menu.
  1. Click on the “Add” button to create the new inbound security rule.

  2. Start the VM by clicking on the “Start” button at the top of the VM’s overview page.

By following these steps, you have remediated the unrestricted FTP access to Port 20 in Azure by restricting access to only the IP address range or subnet that should be allowed to access Port 20.