π Azure Virtual Machine allows public access to Telnet port π’
- Contextual name: π Virtual Machine allows public access to Telnet port π’
- ID:
/ce/ca/azure/virtual-machine/allows-unrestricted-telnet-traffic - Located in: π Azure Virtual Machine
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure that Azure Virtual Machines are not configured to allow unrestricted inbound access to the Telnet port (TCP 23). Network Security Group (NSG) rules should prohibit inbound Telnet traffic from open IP ranges such as 0.0.0.0/0 due to the protocol's inherent security weaknesses.
Rationalβ
Telnet is an insecure protocol that transmits data, including user credentials, in plaintext. Allowing unrestricted Telnet access exposes virtual machines to significant security risks, including unauthorized access, credential theft, and man-in-the-middle (MITM) attacks. Restricting Telnet traffic to trusted IP addresses mitigates these risks. Furthermore, organizations are strongly encouraged to replace Telnet with secure alternatives like SSH, which offer encrypted communication and robust authentication mechanisms.
Impactβ
Limiting Telnet access may require updates to legacy systems or workflows. Ensure that any necessary access is maintained through secure, restricted channels to prevent service interruptions while enhancing overall security.
... see more
Remediationβ
Remediationβ
Modify or Remove Insecure NSG Ruleβ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIβ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Public and Anonymous Access | 69 |