Ensure SSH Internet access is restricted

ID

ssh_access_restricted

Severity

critical

Vendor

Azure

Resource

Networking

Tags

reachable

Description

Secure Shell Internet access is not restricted.

Running a well-configured SSH server is not easy. SSH adds a security risk, as keys need to be properly managed.

By exposing TCP port 22 (typically used by SSH server), you may allow a bad actor to brute force into the Azure Virtual Machine and potentially get access to the entire network.

If you do need an SSH server in your container for whatever reason, restrict SSH solely to known static IP addresses. Limit the access list to include known hosts, services, or specific users only.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "name": "bad", (1)
    "type": "Microsoft.Network/networkSecurityGroups",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "properties": {
      "securityRules": [{
        "name": "bad",
        "properties": { (2)
          "priority": 1000,
          "access": "Allow",
          "direction": "Inbound",
          "destinationPortRange": "22",
          "protocol": "Tcp",
          "sourceAddressPrefix": "*",
          "sourcePortRange": "0-65535",
          "destinationAddressPrefix": "*"
        }
      }]
    }
  }]
}
1 is a resource not restricting SSH internet access.
2 properties allowing inbound Tcp connections on port 22. 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "name": "bad", (1)
    "type": "Microsoft.Network/networkSecurityGroups/securityRules",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "properties": { (2)
      "protocol": "tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "22",
      "sourceAddressPrefix": "*",
      "destinationAddressPrefix": "*",
      "access": "Allow",
      "priority": 100,
      "direction": "Inbound"
    }
  }]
}
1 is a resource not restricting SSH internet access.
2 properties allowing inbound Tcp connections on port 22.

Terraform

resource "azurerm_network_security_rule" "ssh" {
  name                        = "ssh-open-to-internet"
  access                      = "Allow"
  direction                   = "Inbound"
  network_security_group_name = "group.name"
  priority                    = 100
  protocol                    = "Tcp"
  resource_group_name         = "resource_group.name"

  destination_port_range  = 22 (1)
  source_address_prefix   = "Internet" (2)
}
1 SSH port (22)
2 …​ opened to the Internet !

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "name": "good", (1)
    "type": "Microsoft.Network/networkSecurityGroups/securityRules",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "properties": {
      "protocol": "tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "443",
      "sourceAddressPrefix": "[parameters('ipRange')]",
      "destinationAddressPrefix": "[parameters('addressPrefix')]",
      "access": "Allow",
      "priority": 100,
      "direction": "Inbound"
    }
  }]
}
1 Restrict SSH solely to known static IP addresses. Limit the access list to include known hosts, services, or specific users only.

Terraform

resource "azurerm_network_security_rule" "ssh" {
  name                        = "ssh-restricted"
  access                      = "Allow"
  direction                   = "Inbound"
  network_security_group_name = "group.name"
  priority                    = 100
  protocol                    = "Tcp"
  resource_group_name         = "resource_group.name"

  destination_port_range  = 22
  source_address_prefix   = "10.0.0.0/16" (1)
}
1 Fixed, limited to internal network segment

Runtime

Azure Portal

To change the policy using the Azure Portal, for each VM verify that the INBOUND PORT RULES does not have a rule for SSH.

CLI Command

List Network Security Groups with the corresponding non-default Security rules, use the following command:

$ az network nsg list --query [*].[name,securityRules]

Ensure that the Network Security Groups do not have any of the following security rules:

  • "access" : "Allow"

  • "destinationPortRange" : "22" or "*" or "[port range containing 22]"

  • "direction" : "Inbound"

  • "protocol" : "TCP"

  • "sourceAddressPrefix" : "*" or "0.0.0.0" or "/0" or "/0" or "internet" or "any"

See az network nsg list.