Sensitive port is exposed to wide private network
This product is not supported for your selected
Datadog site. (
).
Id: c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e
Cloud Provider: Azure
Platform: Terraform
Severity: Low
Category: Networking and Firewall
Learn More
Description
Opening sensitive ports such as port 23 (Telnet) or port 110 (POP3) to wide private network ranges (for example, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) in either TCP or UDP protocols increases the attack surface and exposes resources to unnecessary risk, as these ports are often targeted by attackers due to weak authentication and lack of encryption. If left unaddressed, this misconfiguration can lead to potential unauthorized access, credential theft, or exploitation of legacy services, especially if the associated services are enabled and unpatched. To remediate, network security rules should deny inbound access to such sensitive ports. For example:
resource "azurerm_network_security_rule" "secure_example" {
name = "deny_telnet"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "23"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
Compliant Code Examples
resource "azurerm_network_security_rule" "negative1" {
name = "example"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "23"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative2" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Icmp"
source_port_range = "*"
destination_port_range = "23-34"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative3" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "8-174"
source_address_prefix = "0.0.0.0"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative4" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "23-196"
source_address_prefix = "0.0.0.0"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative5" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "23"
source_address_prefix = "/1"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative6" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "43"
source_address_prefix = "/0"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative7" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Icmp"
source_port_range = "*"
destination_port_range = "23"
source_address_prefix = "internet"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative8" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "22, 24,49-67"
source_address_prefix = "any"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative9" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Icmp"
source_port_range = "*"
destination_port_range = "23"
source_address_prefix = "/0"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative10" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "23 , 69"
source_address_prefix = "0.0.1.0"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "negative11" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "2,310"
source_address_prefix = "0.0.0.0"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
Non-Compliant Code Examples
resource "azurerm_network_security_rule" "positive1" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "61621"
source_address_prefix = "172.16.0.0/12"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive2" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "23-34"
source_address_prefix = "172.16.0.0/12"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive3" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "21-23"
source_address_prefix = "172.16.0.0/12"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive4" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "23"
source_address_prefix = "192.168.0.0/16"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive5" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "23,245"
source_address_prefix = "192.168.0.0/16"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive6" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "23"
source_address_prefix = "192.168.0.0/16"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive7" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "UDP"
source_port_range = "*"
destination_port_range = "22-64, 94"
source_address_prefix = "10.0.0.0/8"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive8" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = "14, 23, 48"
source_address_prefix = "10.0.0.0/8"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive9" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "12, 23-24,46"
source_address_prefix = "10.0.0.0/8"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
resource "azurerm_network_security_rule" "positive10" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "46-146, 18-36, 1-2, 3"
source_address_prefix = "10.0.0.0/8"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
