More Info:

Determines if TCP port 20 or 21 for FTP is open to the public.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the FTP Port Should Not Be Open misconfiguration for GCP using the GCP console, follow these steps:
  1. Open the Google Cloud Console and select the project where the misconfiguration is present.
  2. Go to the Compute Engine section from the left-hand menu.
  3. Select the VM instance where the FTP port is open.
  4. Click on the Edit button at the top of the page.
  5. Scroll down to the Firewall section and click on the “default-allow-ftp” rule.
  6. Click on the “Edit” button next to the rule.
  7. In the “Protocols and ports” section, uncheck the “tcp:21” option.
  8. Click on the “Save” button to apply the changes.
  9. Repeat steps 5-8 for any other FTP rules that are present.
By performing these steps, you have successfully remediated the misconfiguration by closing the FTP port on the GCP VM instance.

To remediate the FTP Port Should Not Be Open misconfiguration for GCP using GCP CLI, you can follow these steps:
  1. Open the Google Cloud Console and navigate to the GCP project where the misconfiguration exists.
  2. Open the Cloud Shell by clicking on the Cloud Shell icon in the top right corner of the console.
  3. In the Cloud Shell, run the following command to list all the firewall rules in the project: 
    gcloud compute firewall-rules list
  4. Identify the firewall rule that allows FTP traffic to the instance. Note down the name of the firewall rule.
  5. Run the following command to delete the firewall rule: 
    gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]
    Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that you identified in step 4.
  6. Confirm the deletion by entering Y when prompted.
  7. Verify that the firewall rule has been deleted by running the following command: 
    gcloud compute firewall-rules list
    The output should not include the firewall rule that you just deleted.
By following these steps, you have successfully remediated the FTP Port Should Not Be Open misconfiguration for GCP using GCP CLI.
To remediate the FTP Port Should Not Be Open misconfiguration in GCP using Python, you can follow these steps:
  1. First, you need to identify the project and the instance that has the open FTP port. You can use the google-cloud-sdk command-line tool to do this. Run the following command:
gcloud compute instances list
This will list all the instances in your project along with their metadata.
  1. Once you have identified the instance, you need to connect to it using SSH. You can use the gcloud compute ssh command to do this. Run the following command:
gcloud compute ssh [INSTANCE_NAME]
Replace [INSTANCE_NAME] with the name of the instance you want to connect to.
  1. Once you are connected to the instance, you need to check if the FTP port is open. You can use the netstat command to do this. Run the following command:
sudo netstat -tuln | grep :21
This will show you if the FTP port (port 21) is open or not.
  1. If the FTP port is open, you need to close it. You can do this by modifying the instance’s firewall rules. You can use the google-cloud-sdk command-line tool to do this. Run the following command:
gcloud compute firewall-rules update [FIREWALL_RULE_NAME] --source-ranges=[IP_RANGE] --direction=INGRESS --action=DENY --rules=tcp:21
Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that allows traffic to port 21. Replace [IP_RANGE] with the IP range that is allowed to access the FTP port.
  1. Finally, you need to verify that the FTP port is closed. You can do this by running the netstat command again:
sudo netstat -tuln | grep :21
This should not show any output, which means that the FTP port is closed.By following these steps, you can remediate the FTP Port Should Not Be Open misconfiguration in GCP using Python.

Additional Reading: