---
title: Security groups should not allow unrestricted access to ports with high risk
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Security groups should not allow
  unrestricted access to ports with high risk
---

# Security groups should not allow unrestricted access to ports with high risk
 
## Description{% #description %}

This rule verifies that security groups do not allow unrestricted traffic on ports:

- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 25 (SMTP)
- 110 (POP3)
- 135 (RPC)
- 143 (IMAP)
- 445 (CIFS)
- 1433, 1434 (MSSQL)
- 3000 (Go, Node.js, and Ruby web development frameworks)
- 3306 (mySQL)
- 3389 (RDP)
- 4333 (ahsp)
- 5000 (Python web development frameworks)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)
- 5601 (OpenSearch Dashboards)
- 8080 (proxy)
- 8088 (legacy HTTP port)
- 8888 (alternative HTTP port)
- 9200 or 9300 (OpenSearch)

Restricting access to these ports is a security best practice, and required by AWS Foundational Security Best Practices.

**Note**: This rule only looks at the security group and does not attempt to identify if it is attached to resources such as an EC2 instance. Consequently, the rule has a low severity.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

1. Log in to the **AWS Management Console**.
1. Navigate to the **EC2 dashboard**.
1. On the left side menu, click `Security Groups`.
1. Select the security group you would like to edit.