Skip to main content

Ensure No EC2 Instances Allow Telnet Access from the Internet

Overview

This check identifies EC2 instances with security groups that allow inbound Telnet traffic (TCP port 23) from the internet. Telnet is an outdated, insecure protocol that transmits all data, including passwords, in plain text.

Severity: Critical

Risk

Exposing Telnet to the internet is a serious security risk:

  • Credentials are sent in plain text - Anyone monitoring network traffic can capture usernames and passwords
  • Session hijacking - Attackers can intercept and take over active sessions
  • Brute-force attacks - Automated tools can attempt thousands of login combinations
  • Full system compromise - Successful access gives attackers shell access to run commands

Modern security standards require using SSH (port 22) instead of Telnet, as SSH encrypts all communications.

Remediation Steps

Prerequisites

You need permission to modify EC2 security groups in your AWS account. Specifically, you need the ec2:RevokeSecurityGroupIngress permission.

AWS Console Method

  1. Sign in to the AWS Console and go to EC2
  2. In the left sidebar, click Security Groups (under Network & Security)
  3. Find the security group attached to your affected EC2 instance
  4. Click on the security group to open its details
  5. Select the Inbound rules tab
  6. Look for any rule with:
    • Port range: 23
    • Source: 0.0.0.0/0 or ::/0 (these mean "open to the internet")
  7. Select the rule and click Delete inbound rules
  8. Click Delete to confirm

If your application genuinely requires Telnet, restrict the source to specific trusted IP addresses instead of the internet. However, strongly consider migrating to SSH instead.

AWS CLI (optional)

Find affected security groups

First, identify security groups allowing Telnet from the internet:

aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=23" \
            "Name=ip-permission.to-port,Values=23" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].[GroupId,GroupName]" \
  --output table

Remove the insecure rule

Replace <SECURITY_GROUP_ID> with your actual security group ID:

For IPv4 (0.0.0.0/0):

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 23 \
  --cidr 0.0.0.0/0

For IPv6 (::/0):

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --ip-permissions IpProtocol=tcp,FromPort=23,ToPort=23,Ipv6Ranges='[{CidrIpv6=::/0}]'

Alternative: Restrict to specific IP

If Telnet access is required (not recommended), restrict it to a specific IP:

aws ec2 authorize-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 23 \
  --cidr <YOUR_TRUSTED_IP>/32
CloudFormation (optional)

This CloudFormation template creates a security group that explicitly does not allow Telnet access from the internet. Use this as a reference for secure security group configurations.

AWSTemplateFormatVersion: '2010-09-09'
Description: Security group without Telnet access from internet

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID where the security group will be created

Resources:
  SecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with no Telnet access from internet
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        # SSH access from trusted CIDR only
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 10.0.0.0/8
          Description: SSH from internal network only
      SecurityGroupEgress:
        - IpProtocol: "-1"
          CidrIp: 0.0.0.0/0
          Description: Allow all outbound traffic
      Tags:
        - Key: Name
          Value: secure-no-telnet-sg

Outputs:
  SecurityGroupId:
    Description: ID of the created security group
    Value: !Ref SecureSecurityGroup
    Export:
      Name: !Sub "${AWS::StackName}-SecurityGroupId"

Deploy with:

aws cloudformation create-stack \
  --region us-east-1 \
  --stack-name secure-sg-no-telnet \
  --template-body file://template.yaml \
  --parameters ParameterKey=VpcId,ParameterValue=<YOUR_VPC_ID>
Terraform (optional)

This Terraform configuration creates a security group that does not allow Telnet access from the internet.

variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "trusted_cidr_blocks" {
  description = "List of trusted CIDR blocks for SSH access"
  type        = list(string)
  default     = ["10.0.0.0/8"]
}

resource "aws_security_group" "secure_no_telnet" {
  name        = "secure-no-telnet-sg"
  description = "Security group with no Telnet access from internet"
  vpc_id      = var.vpc_id

  # SSH access from trusted networks only
  ingress {
    description = "SSH from trusted networks"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = var.trusted_cidr_blocks
  }

  # No Telnet (port 23) access allowed

  egress {
    description = "Allow all outbound traffic"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "secure-no-telnet-sg"
  }
}

output "security_group_id" {
  description = "ID of the created security group"
  value       = aws_security_group.secure_no_telnet.id
}

Apply with:

terraform init
terraform apply -var="vpc_id=<YOUR_VPC_ID>"

Verification

After remediation, verify the fix:

  1. In the AWS Console, go to EC2 > Security Groups
  2. Select your security group and check the Inbound rules tab
  3. Confirm there are no rules allowing port 23 from 0.0.0.0/0 or ::/0
CLI verification

Run this command to check for any remaining Telnet rules open to the internet:

aws ec2 describe-security-groups \
  --region us-east-1 \
  --group-ids <SECURITY_GROUP_ID> \
  --query "SecurityGroups[*].IpPermissions[?FromPort==\`23\` && ToPort==\`23\`]" \
  --output json

An empty result ([]) confirms the rule has been removed.

Additional Resources

Notes

  • Consider disabling Telnet entirely: If Telnet is running on your EC2 instances, strongly consider disabling the service and using SSH instead
  • Use bastion hosts or VPN: For administrative access, route connections through a bastion host or VPN rather than exposing management ports directly
  • Enable VPC Flow Logs: Monitor for unexpected connection attempts to detect potential security issues
  • This is a critical finding: Internet-exposed Telnet is frequently exploited in automated attacks; remediate this issue immediately