Skip to main content

lacework-global-718

Network Security Group ingress rule contains disallowed IP/port (Automated)

Description

Alert when the ingress rule for a network security group contains a disallowed destination IP address and port number.

Remediation

This policy checks for a specific set of ports considered most commonly scanned. The disallowed ports are:

  • Transmission Control Protocol (TCP): 11, 17-19, 21, 23-25, 43, 49, 53, 70-74, 79-81, 88, 111, 123, 389, 636, 445, 500, 3306, 3389, 5901, 5985, 5986, 7001, 8000, 8080, 8443, 8888

  • User Datagram Protocol (UDP): 11, 17-19, 49, 69, 80, 82, 83-85, 389, 443, 656, 8080

From Console:

  1. Login into the OCI Console.

  2. Click the search bar at the top of the screen.

  3. Type Advanced Resource Query and hit enter.

  4. Click the Advanced Resource Query button in the upper right corner of the screen.

  5. Enter the following query in the query box:

    query networksecuritygroup resources where lifeCycleState = 'AVAILABLE'

  6. For each of the network security groups in the returned results, click the name and inspect each of the security rules.

  7. Identify security rules with direction: Ingress, Source: 0.0.0.0/0, and Destination Port Range include the disallowed ports.

  8. Either Edit the Security rules to restrict the source and/or port range or delete the rule.

From CLI:

  1. Execute the following command:

    for region in $(oci iam region list | jq -r '.data[] | .name')
    do
      echo "Enumerating region $region"
      for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
      do
        echo "Enumerating compartment $compid"
        for nsgid in $(oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id')
        do
          output=$(oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == "0.0.0.0/0" and .direction == "INGRESS"')
          if [ ! -z "$output" ]; then echo "nsgid=", $nsgid, "Security Rules=", $output; fi
        done
      done
    done

  2. For each of the network security group security rules identified, compare the ports against the disallowed ports and either:

    • Remove the security rules

      oci network nsg rules remove --nsg-id=<nsg-id>

    OR

    • Update the security rules

      oci network nsg rules update --nsg-id=<nsg-id> --security-rules='[<updated security-rules JSON (without isValid and TimeCreated fields)>]'

      For example:

      oci network nsg rules update --nsg-id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security-rules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "140.238.154.0/24", "source-type": "cidr_block", "tcp-options": { "destination-port-range": { "max": 29, "min": 29 }, "source-port-range": null }, "udp-options": null }]'

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__VCN_NSG_INGRESS_RULE_PORTS_CHECK

Last updated on