--- title: Inbound FTP access should be restricted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > Inbound FTP access should be restricted --- # Inbound FTP access should be restricted ## Description{% #description %} Reduce the probability of a breach by checking [EC2 security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port. ## Rationale{% #rationale %} Malicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports. ## Remediation{% #remediation %} ### From the console{% #from-the-console %} Follow the [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) docs to learn how to add a security group rule that will restrict access to a specific port. ### From the command line{% #from-the-command-line %} 1. Run `revoke-security-group-ingress` to [remove inbound rules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html) that allow unrestricted access to port 20 and 21. In the `revoke-security-group-egress.sh` file: ```bash aws ec2 revoke-security-group-egress --group-name your-group-name --protocol tcp --port 20 --cidr 192.0.2.0/24 ``` 1. Run `authorize-security-group-ingress` to [add new inbound rules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html) that restrict FTP access. In the `revoke-security-group-ingress.sh` file: ```bash aws ec2 authorize-security-group-ingress --group-name your-group-name --protocol tcp --port 20 --cidr 192.0.2.0/24 ```