Check for Unrestricted Inbound Access on Uncommon Ports

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Ensure that your Virtual Private Cloud (VPC) firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) to any uncommon ports in order to protect against attackers that use brute force methods to gain access to the virtual machine instances associated with these firewall rules. An uncommon port can be any TCP/UDP port that is not included in the common service ports category, i.e. other than the commonly used ports such as 80 (HTTP), 443 (HTTPS), 20/21 (FTP), 22 (SSH), 23 (Telnet), 53 (DNS), 3389 (RDP), 25/465/587 (SMTP), 3306 (MySQL), 5432 (PostgreSQL), 1521 (Oracle Database), 1433 (SQL Server), 135 (RPC), and 137/138/139/445 (SMB/CIFS).

Security

Allowing unrestricted (0.0.0.0/0) inbound access to uncommon ports via VPC network firewall rules can increase opportunities for malicious activities such as hacking, data capture, and all kinds of attacks (brute-force attacks, man-in-the-middle attack, Denial-of-Service attacks, etc).


Audit

To determine if your Google Cloud VPC firewall rules allow unrestricted ingress access to uncommon TCP/UDP ports, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall, click inside the Filter table box, set Type to Ingress and Disabled to False, to list all the inbound rules enabled for the resources within the selected project.

05 Check the filtered list for any inbound rules with the Protocols / ports attribute set to an uncommon TCP/UDP port (e.g. TCP 8010), Action to Allow, and Filters to IP ranges: 0.0.0.0/0. If one or more rules match the filter criteria, there are VPC network firewall rules that allow unrestricted inbound/ingress access to uncommon ports, therefore the access to the associated virtual machine instances is not secured.

06 Repeat steps no. 2 – 5 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123123
cc-web-dev-project-112233

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created within the selected project:

gcloud compute networks list
  --project cc-project5-stack-123123
  --format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the specified project:

NAME
cc-web-stack-network

05 Run compute firewall-rules list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as identifier parameter and custom filtering to list all the firewall rules defined for the selected Virtual Private Cloud (VPC):

gcloud compute firewall-rules list
  --filter network=cc-web-stack-network
  --sort-by priority
  --format=table"(name,disabled,direction,sourceRanges,allowed[].map().firewall_rule().list())"

06 The command output should return the requested information available for the existing VPC firewall rules:

NAME                         DISABLED  DIRECTION  SOURCE_RANGES  ALLOW
cc-allow-ica-access          False     INGRESS    ['0.0.0.0/0']  tcp:1494
cc-allow-ws-console-access   False     INGRESS    ['0.0.0.0/0']  tcp:8010
cc-allow-ws-database-access  False     INGRESS    ['0.0.0.0/0']  tcp:1433
cc-allow-http-access         False     INGRESS    ['0.0.0.0/0']  tcp:80

Check the compute firewall-rules list command output for any enabled firewall rules (i.e. DISABLED attribute set to False) with the DIRECTION set to INGRESS, SOURCE_RANGES set to ['0.0.0.0/0'], and ALLOW set to an uncommon TCP/UDP port (e.g. TCP 1494). If one or more rules match the search criteria, there are VPC network firewall rules that allow unrestricted inbound/ingress access to uncommon ports, therefore the access to the associated virtual machine (VM) instances is not secured (restricted).

07 Repeat step no. 5 and 6 for each VPC network created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To update your VPC network firewall rules configuration in order to restrict access on uncommon TCP/UDP ports to trusted, authorized IP addresses or IP ranges only, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall to access the list of VPC firewall rules created for the resources within the selected project.

05 Click on the name of the rule that allows unrestricted inbound access to uncommon TCP/UDP ports (see Audit section part I to identify the right firewall rule), then click on the Edit button from the dashboard top menu to access the rule configuration settings.

06 On the selected firewall rule configuration page, perform the following:

  1. Remove the overly permissive 0.0.0.0/0 IP range from the Source IP ranges configuration box to deny unrestricted (public) inbound access on the uncommon TCP/UDP port.
  2. Type the source IP address(es) or IP address range(s) into the Source IP ranges box to define the source for the incoming traffic on the uncommon port. The allowed IP address blocks must be specified in CIDR format (e.g. 10.10.10.0/24). The IP range(s) can include addresses inside your VPC network and outside your network. Source IP range(s) can be used to define sources both inside and outside Google Cloud Platform (GCP).
  3. Click Save to apply the configuration changes.

07 If required, repeat step no. 5 and 6 to reconfigure other VPC network firewall rules that allow unrestricted inbound access to uncommon ports.

08 Repeat steps no. 2 – 7 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute firewall-rules update command (Windows/macOS/Linux) to reconfigure the VPC firewall rule that allows unrestricted inbound access on uncommon TCP/UDP ports (see Audit section part II to identify the right firewall rule), by replacing the insecure 0.0.0.0/0 IP source range with a trusted, authorized IP address/IP range. The IP range(s) can include addresses available within your VPC network and outside your network. The allowed IP address blocks must be defined in CIDR format. You can specify a single value (e.g. 10.10.10.5/32) or a comma-separated list of multiple values (e.g. 10.10.10.5/32, 10.10.10.0/24):

gcloud compute firewall-rules update cc-allow-ica-access
  --allow tcp:1494
  --source-ranges=10.10.10.0/24
  --description="Allows ICA access from authorized IP address range"

02 The command output should return the ID of the reconfigured VPC firewall rule:

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/firewalls/cc-allow-ica-access].

03 If required, repeat step no. 1 and 2 to reconfigure other VPC network firewall rules that allow unrestricted inbound access to uncommon ports.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Unrestricted Inbound Access on Uncommon Ports

Risk level: High