Azure Network Security Group allows all traffic on SSH port 22
Description
A potential security problem using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network. The attackers could also access and attack networked devices outside of Azure. We recommend you disable SSH access over the internet to Network Security Groups.
Code Example
go
resource "azurerm_network_security_rule" "example" {
- access = "Allow"
- protocol = "TCP"
- destination_port_range = ["22" / <port range including 22>]]
- source_address_prefix = "*" / "0.0.0.0" / "<nw>/0" / "/0" / "internet" / "any"
}Remediation
Terraform
- Resource: azurerm_network_security_rule
- Arguments: access + protocol + destination_port_range + source_address_prefix
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0521 |
| Severity | INFO |
| IaC Type | arm |
| Frameworks | ARM, |
| Checkov ID | CKV_AZURE_10 |