Azure Network Security Group (NSG) Allows SSH Traffic From Internet On Port 22

Blocking SSH port 22 will protect users from attacks like Account compromise.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

Azure Network Security Group (NSG) allows SSH traffic from internet on port 22.
JSON Query:
($.resource[*].azurerm_network_security_rule exists and ($.resource[*].azurerm_network_security_rule.*[*].*.access contains Allow and $.resource[*].azurerm_network_security_rule.*[*].*.destination_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.source_address_prefix contains * and $.resource[*].azurerm_network_security_rule.*[*].*.destination_port_range contains 22 and $.resource[*].azurerm_network_security_rule.*[*].*.direction contains Inbound))
Recommendation:
Recommended solution for not allowing SSH traffic on port 22 from internet in NSG.
It is recommended that Azure Network Security Group (NSG) should not allow SSH traffic from internet on port 22. Please make sure if your template has "access" set to "Deny" if direction is Inbound and port is 22.
For example:
"azurerm_network_security_rule": [ { "<network_security_rule_name>": [ { "access": "Deny", "destination_address_prefix": "*", "destination_port_range": "22", "direction": "Inbound", "name": "test123" } ] } ]

Run Rule Recommendation

  1. Login to Azure Portal.
  2. Click on All services.
  3. Under NETWORKING, Click on Network security groups.
  4. Click on reported Network security group.
  5. Under SETTINGS, Click on Inbound security rules.
  6. Click on reported row (22 PORT).
  7. Set Action to Deny.
  8. Click on OK.
Remediation CLI Command:
az network nsg rule update --name ${ruleName} --resource-group ${resourceGroup} --nsg-name ${resourceName} --access Deny
CLI Command Description:
This CLI command requires 'Microsoft.Network/networkSecurityGroups/securityRules/*' permission. Successful execution will update the network security group to revoke the inbound rule records allowing SSH traffic from Internet on port 22.

Compliance

There are 12 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • PCI DSS v3.2
  • NIST CSF
  • GDPR
  • HIPAA
  • CSA CCM v3.0.1
  • CIS v1.1 (Azure)
  • SOC 2
  • PIPEDA
  • HITRUST CSF v9.3
  • CCPA 2018
  • NIST 800-53 Rev4

Recommended For You