Skip to content

SSH Internet access is not restricted

Description

A potential security problem using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network. The attackers could also access and attack networked devices outside of Azure.

We recommend you disable SSH access over the internet to Network Security Groups.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. For each VM, open the Networking blade.

  3. Verify that the INBOUND PORT RULES does not have a rule for SSH. For example:

  4. Port = 22

  5. Protocol = TCP
  6. Source = Any OR Internet

CLI Command

To list Network Security Groups with corresponding non-default Security rules, use the following command:
az network nsg list --query [*].[name,securityRules]

Ensure that the NSGs do not have any of the following security rules:

  • "access" : "Allow"
  • "destinationPortRange" : "22" or "*" or "[port range containing 22]"
  • "direction" : "Inbound"
  • "protocol" : "TCP"
  • "sourceAddressPrefix" : "*" or "0.0.0.0" or "/0" or "/0" or "internet" or "any"

Fix - Buildtime

Terraform

  • Resource: azurerm_network_security_rule
  • Arguments: access + protocol + destination_port_range + source_address_prefix
resource "azurerm_network_security_rule" "example" {
-    access                      = "Allow"
-    protocol                    = "TCP"
-    destination_port_range      = ["22" / <port range including 22>]]
-    source_address_prefix       = "*" / "0.0.0.0" / "<nw>/0" / "/0" / "internet" / "any"
}