SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration
SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration

All Entries

CategoryExposed Service / Network Misconfiguration
Typical SeverityHigh
OWASPA05:2021 – Security Misconfiguration
CWECWE-284 (Improper Access Control), CWE-16 (Configuration)
Affected PortsTCP 22 (SSH), TCP 3389 (RDP), TCP 23 (Telnet)
Also known asInternet-facing remote access, publicly exposed management interfaces
Affected systemsLinux/Unix servers, Windows servers, network devices, embedded systems with management interfaces reachable from the public internet

Overview

SSH, RDP, and Telnet are administrative protocols designed to provide interactive remote shell or desktop access to systems. When these services are bound to internet-facing network interfaces without adequate access controls, they become directly reachable by any host on the internet. Automated scanners, botnets, and targeted attackers routinely probe all routable IP space for these well-known ports. Telnet is additionally dangerous because it transmits all data — including credentials — in cleartext, offering no transport-layer confidentiality.

Sensagraph automatically detects remote access services exposed on publicly reachable IP addresses and ports.

How it works

Attackers exploit publicly accessible remote access services through several distinct techniques:

  • Credential brute-forcing and password spraying: Automated tools (Hydra, Medusa, custom botnets) systematically attempt common username/password pairs against SSH and RDP endpoints. Default or weak credentials are frequently successful.
  • Credential stuffing: Credentials obtained from data breaches at other services are replayed against exposed remote access ports, exploiting password reuse.
  • Protocol-level vulnerability exploitation: Critical vulnerabilities in implementations — such as BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181/1182) for RDP, or OpenSSH memory corruption flaws — allow pre-authentication remote code execution without requiring valid credentials.
  • Man-in-the-middle attacks on Telnet: Because Telnet provides no encryption or server authentication, any network-level attacker can intercept sessions and harvest credentials in plaintext.
  • Reconnaissance and fingerprinting: Exposed services leak version banners (e.g., SSH-2.0-OpenSSH_7.4) that allow attackers to identify outdated or vulnerable daemon versions and target known CVEs precisely.
  • Lateral movement staging: Once initial access is obtained via a compromised internet-facing remote access service, attackers use the same protocols to move laterally to internal hosts that trust the compromised system.

Business impact

Successful exploitation of publicly exposed remote access services can result in full, persistent, interactive access to the compromised host at the operating-system level. Consequences include:

  • Complete system compromise: Attackers with shell or desktop access can install malware, exfiltrate all data stored on or reachable from the host, and establish persistent backdoors.
  • Ransomware deployment: RDP is the primary initial access vector cited in a majority of enterprise ransomware incidents. Attackers with RDP access can disable backups, encrypt data, and move laterally across the network.
  • Data exfiltration and regulatory consequences: Unauthorised access to systems hosting personal data triggers breach notification obligations under GDPR, HIPAA, PCI DSS, and similar frameworks.
  • Botnet enlistment: Compromised systems are frequently added to botnets for DDoS amplification, cryptomining, or spam campaigns, generating reputational and legal liability.
  • Supply chain risk: For service providers or managed service providers, a compromised management endpoint can cascade to customer environments.

How to fix it

  1. Restrict access at the network layer: Block TCP 22, 3389, and 23 inbound from the public internet at the firewall or security group level. These services should never be directly internet-reachable unless there is an explicit, documented business requirement.
  2. Require VPN or Zero Trust Network Access (ZTNA) as a prerequisite: Remote administrative access should only be possible after authenticated, encrypted tunnelling via a VPN gateway or a ZTNA solution. The management service itself remains non-routable from the internet.
  3. Disable Telnet entirely: Telnet provides no confidentiality or integrity. Replace all Telnet usage with SSH. On network devices, disable the Telnet listener and enforce SSHv2.
  4. Enforce SSH hardening: Disable password authentication; require public-key authentication only. Disable root login (PermitRootLogin no). Restrict allowed users/groups. Use SSH protocol version 2 exclusively. Consider non-default port for obscurity (defence-in-depth only, not a primary control).
  5. Enable Network Level Authentication (NLA) for RDP: NLA requires authentication before the RDP session is established, preventing pre-authentication exploitation of the RDP stack. Enforce NLA via Group Policy.
  6. Implement multi-factor authentication (MFA): Require MFA for all remote access sessions. This mitigates credential-based attacks even when credentials are compromised.
  7. Deploy IP allowlisting: Where VPN is not feasible, restrict access to known administrative IP ranges using firewall rules or host-based access controls (e.g., /etc/hosts.allow, Windows Firewall rules).
  8. Keep services patched: Apply security patches for OpenSSH, Windows Remote Desktop Services, and all associated OS components promptly. Subscribe to vendor security advisories.
  9. Enable logging and alerting: Log all authentication attempts (successes and failures) to a centralised SIEM. Alert on anomalous login patterns, failed login thresholds, and logins from unexpected geographies.
  10. Deploy a privileged access workstation (PAW) model: Administrative access to servers should originate only from dedicated, hardened management hosts, not general-purpose workstations.

References

Frequently asked questions

Disabling password authentication and enforcing public-key authentication significantly reduces the credential brute-force risk, but the service is still exposed to protocol-level vulnerability exploitation. Any unpatched CVE in the SSH daemon (e.g., a pre-authentication memory corruption flaw) could allow remote code execution. Best practice is to place SSH behind a VPN or ZTNA gateway and allow only known IP ranges, in addition to using key-based authentication.

Telnet carries the highest baseline risk because it transmits all data, including passwords, in cleartext, making passive interception trivial. RDP has historically been the most actively weaponised in ransomware attacks and has a significant track record of critical pre-authentication vulnerabilities (BlueKeep, DejaBlue). SSH, when properly configured with key authentication and kept up to date, is the safest of the three, but still should not be unnecessarily exposed.

Changing the default port provides minimal security benefit — it reduces noise from unsophisticated scanners but not from any serious attacker, who will perform full port scans. It is considered a defence-in-depth measure at best and should never be substituted for proper access controls such as firewalling and VPN-gated access.

Attackers use internet-wide scanning services (such as Shodan, Censys, and FOFA) and their own scanning infrastructure to continuously enumerate all routable IPv4 and IPv6 addresses for open ports. Services such as Shodan index exposed SSH, RDP, and Telnet endpoints in near real-time, making them trivially discoverable by anyone.

RDP is consistently identified by incident response firms and government agencies (CISA, NCSC) as the most common initial access vector in ransomware incidents. Attackers either brute-force weak RDP credentials or purchase previously compromised RDP credentials on dark-web markets, log in interactively, disable endpoint protection and backup mechanisms, and deploy ransomware. Eliminating internet-facing RDP exposure is one of the highest-impact single controls an organisation can implement.