Overview
SSH, RDP, and Telnet are administrative protocols designed to provide interactive remote shell or desktop access to systems. When these services are bound to internet-facing network interfaces without adequate access controls, they become directly reachable by any host on the internet. Automated scanners, botnets, and targeted attackers routinely probe all routable IP space for these well-known ports. Telnet is additionally dangerous because it transmits all data — including credentials — in cleartext, offering no transport-layer confidentiality.
Sensagraph automatically detects remote access services exposed on publicly reachable IP addresses and ports.
How it works
Attackers exploit publicly accessible remote access services through several distinct techniques:
- Credential brute-forcing and password spraying: Automated tools (Hydra, Medusa, custom botnets) systematically attempt common username/password pairs against SSH and RDP endpoints. Default or weak credentials are frequently successful.
- Credential stuffing: Credentials obtained from data breaches at other services are replayed against exposed remote access ports, exploiting password reuse.
- Protocol-level vulnerability exploitation: Critical vulnerabilities in implementations — such as BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181/1182) for RDP, or OpenSSH memory corruption flaws — allow pre-authentication remote code execution without requiring valid credentials.
- Man-in-the-middle attacks on Telnet: Because Telnet provides no encryption or server authentication, any network-level attacker can intercept sessions and harvest credentials in plaintext.
- Reconnaissance and fingerprinting: Exposed services leak version banners (e.g.,
SSH-2.0-OpenSSH_7.4) that allow attackers to identify outdated or vulnerable daemon versions and target known CVEs precisely. - Lateral movement staging: Once initial access is obtained via a compromised internet-facing remote access service, attackers use the same protocols to move laterally to internal hosts that trust the compromised system.
Business impact
Successful exploitation of publicly exposed remote access services can result in full, persistent, interactive access to the compromised host at the operating-system level. Consequences include:
- Complete system compromise: Attackers with shell or desktop access can install malware, exfiltrate all data stored on or reachable from the host, and establish persistent backdoors.
- Ransomware deployment: RDP is the primary initial access vector cited in a majority of enterprise ransomware incidents. Attackers with RDP access can disable backups, encrypt data, and move laterally across the network.
- Data exfiltration and regulatory consequences: Unauthorised access to systems hosting personal data triggers breach notification obligations under GDPR, HIPAA, PCI DSS, and similar frameworks.
- Botnet enlistment: Compromised systems are frequently added to botnets for DDoS amplification, cryptomining, or spam campaigns, generating reputational and legal liability.
- Supply chain risk: For service providers or managed service providers, a compromised management endpoint can cascade to customer environments.
How to fix it
- Restrict access at the network layer: Block TCP 22, 3389, and 23 inbound from the public internet at the firewall or security group level. These services should never be directly internet-reachable unless there is an explicit, documented business requirement.
- Require VPN or Zero Trust Network Access (ZTNA) as a prerequisite: Remote administrative access should only be possible after authenticated, encrypted tunnelling via a VPN gateway or a ZTNA solution. The management service itself remains non-routable from the internet.
- Disable Telnet entirely: Telnet provides no confidentiality or integrity. Replace all Telnet usage with SSH. On network devices, disable the Telnet listener and enforce SSHv2.
- Enforce SSH hardening: Disable password authentication; require public-key authentication only. Disable root login (
PermitRootLogin no). Restrict allowed users/groups. Use SSH protocol version 2 exclusively. Consider non-default port for obscurity (defence-in-depth only, not a primary control). - Enable Network Level Authentication (NLA) for RDP: NLA requires authentication before the RDP session is established, preventing pre-authentication exploitation of the RDP stack. Enforce NLA via Group Policy.
- Implement multi-factor authentication (MFA): Require MFA for all remote access sessions. This mitigates credential-based attacks even when credentials are compromised.
- Deploy IP allowlisting: Where VPN is not feasible, restrict access to known administrative IP ranges using firewall rules or host-based access controls (e.g.,
/etc/hosts.allow, Windows Firewall rules). - Keep services patched: Apply security patches for OpenSSH, Windows Remote Desktop Services, and all associated OS components promptly. Subscribe to vendor security advisories.
- Enable logging and alerting: Log all authentication attempts (successes and failures) to a centralised SIEM. Alert on anomalous login patterns, failed login thresholds, and logins from unexpected geographies.
- Deploy a privileged access workstation (PAW) model: Administrative access to servers should originate only from dedicated, hardened management hosts, not general-purpose workstations.
References
- OWASP Top 10 A05:2021 – Security Misconfiguration
- CWE-284: Improper Access Control – MITRE
- CWE-16: Configuration – MITRE
- CVE-2019-0708 BlueKeep – NVD
- CISA Advisory AA21-131A: DarkSide Ransomware – RDP as Initial Access Vector
- CIS Benchmarks – SSH Hardening Guidance
- Microsoft Docs: Secure RDP with Network Level Authentication
- RFC 4251 – The Secure Shell (SSH) Protocol Architecture (IETF)
- RFC 854 – Telnet Protocol Specification (IETF)