Logo of Trend Micro

Check for Unrestricted SSH Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Very High (act immediately)

Check your Elastic Compute Service (ECS) security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 and limit the access to trusted IP addresses or IP ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface. TCP port 22 is used for secure remote login by connecting an SSH client application with an SSH server.

Security

Exposing TCP port 22 (Secure Shell - SSH) to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle (MITM) attacks and brute-force attacks, therefore it is strongly recommended to configure your Elastic Compute Service (ECS) security groups to limit inbound traffic on TCP port 22 to known and trusted IP addresses only.

Audit

To determine if your Alibaba Cloud ECS security groups allow unrestricted access on TCP port 22 (SSH), perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the cloud region where your ECS security groups reside from the top navigation bar.

05 Click on the ID (link) of the security group that you want to examine, listed in the Security Group ID/Name column.

06 Select the Security Group Details tab and choose the Inbound tab to access the ingress rules defined for the selected security group.

07 Check the rules list for any inbound rules with the Protocol Type attribute set to Custom TCP, Port Range set to Destination: 22/22 or Destination: 1/65535, and the Authorization Object set to Source 0.0.0.0/0. If one or more rules match the search criteria, there are inbound rules that allow unrestricted access on TCP port 22, therefore the SSH access to the associated ECS instances is not secured.

08 Repeat steps no. 5 - 7 for each ECS security group available in the selected cloud region.

09 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeSecurityGroups command (OSX/Linux/UNIX) to describe the information available for each ECS security group provisioned in the specified cloud region: 

aliyun ecs DescribeSecurityGroups --RegionId 'eu-west-1'

02 The command output should return the requested details (including the security group ID): 

{
	"SecurityGroups": {
		"SecurityGroup": [
			{
				"CreationTime": "2024-02-24T17:42:55Z",
				"Description": "",
				"SecurityGroupId": "sg-abcd1234abcd1234abcd",
				"SecurityGroupName": "sg-abcd1234abcd1234abcd",
				"SecurityGroupType": "normal",
				"ServiceManaged": false,
				"VpcId": "vpc-123456789012345678901"
			},
			{
				"CreationTime": "2024-02-23T17:52:37Z",
				"Description": "",
				"SecurityGroupId": "sg-1234abcd1234abcd1234",
				"SecurityGroupName": "sg-1234abcd1234abcd1234",
				"SecurityGroupType": "normal",
				"ServiceManaged": false,
				"VpcId": "vpc-123456789012345678901"
			}
		]
	},
	"TotalCount": 2,
	"PageNumber": 1,
	"PageSize": 10,
	"RegionId": "eu-west-1",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Run DescribeSecurityGroupAttribute command (OSX/Linux/UNIX) using the ID of the ECS security group that you want to examine as the identifier parameter, to describe the inbound rules defined for the selected security group: 

aliyun ecs DescribeSecurityGroupAttribute
  --RegionId 'eu-west-1'
  --SecurityGroupId 'sg-abcd1234abcd1234abcd'
  --Direction ingress

04 The command output should return the requested configuration information: 

{
	"Description": "System created security group.",
	"InnerAccessPolicy": "Accept",
	"Permissions": {
		"Permission": [
			{
				"CreateTime": "2024-02-23T17:52:37Z",
				"Description": "System created rule.",
				"DestCidrIp": "",
				"DestGroupId": "",
				"DestGroupName": "",
				"DestGroupOwnerAccount": "",
				"DestPrefixListId": "",
				"DestPrefixListName": "",
				"Direction": "ingress",
				"IpProtocol": "TCP",
				"Ipv6DestCidrIp": "",
				"Ipv6SourceCidrIp": "",
				"NicType": "intranet",
				"Policy": "Accept",
				"PortRange": "22/22",
				"Priority": 100,
				"SecurityGroupRuleId": "sgr-123456789012345678901",
				"SourceCidrIp": "0.0.0.0/0",
				"SourceGroupId": "",
				"SourceGroupName": "",
				"SourceGroupOwnerAccount": "",
				"SourcePortRange": "",
				"SourcePrefixListId": "",
				"SourcePrefixListName": ""
			},
			{
				"CreateTime": "2024-02-23T17:52:37Z",
				"Description": "System created rule.",
				"DestCidrIp": "",
				"DestGroupId": "",
				"DestGroupName": "",
				"DestGroupOwnerAccount": "",
				"DestPrefixListId": "",
				"DestPrefixListName": "",
				"Direction": "ingress",
				"IpProtocol": "TCP",
				"Ipv6DestCidrIp": "",
				"Ipv6SourceCidrIp": "",
				"NicType": "intranet",
				"Policy": "Accept",
				"PortRange": "80/80",
				"Priority": 100,
				"SecurityGroupRuleId": "sgr-1234567890abcdabcdabcd",
				"SourceCidrIp": "0.0.0.0/0",
				"SourceGroupId": "",
				"SourceGroupName": "",
				"SourceGroupOwnerAccount": "",
				"SourcePortRange": "",
				"SourcePrefixListId": "",
				"SourcePrefixListName": ""
			}
		]
	},
	"RegionId": "eu-west-1",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"SecurityGroupId": "sg-abcd1234abcd1234abcd",
	"SecurityGroupName": "sg-abcd1234abcd1234abcd",
	"VpcId": "vpc-123456789012345678901"
}

Check the inbound rules listed within the "Permission" array for any rules with the "IpProtocol" attribute set to "TCP", "PortRange" set to "22/22" or "1/65535", and the "SourceCidrIp" set to "0.0.0.0/0". If one or more rules match the search criteria, there are inbound rules that allow unrestricted access on TCP port 22, therefore the SSH access to the associated ECS instances is not secured.

05 Repeat steps no. 3 and 4 for each ECS security group available within the selected cloud region.

06 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the inbound rule configuration for your ECS security groups in order to limit SSH access to trusted entities only (i.e. authorized IP addresses and IP ranges, or other trusted security groups) or to remove the non-compliant rule entirely, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the cloud region where your ECS security groups reside from the top navigation bar.

05 Click on the ID (link) of the security group that you want to configure, listed in the Security Group ID/Name.

06 Select the Security Group Details tab and choose the Inbound tab to access the ingress rules defined for the selected security group.

07 To change the traffic source for the inbound rule that allows unrestricted SSH access, perform the following actions:

  1. Select the rule that you want to modify and choose Modify in the Actions column.
  2. Remove 0.0.0.0/0 from Source and provide one of the following authorization objects or a combination of objects: your current IP address, one or more authorized IP addresses and/or IP address ranges, one or more authorized security groups.
  3. (Optional) Change the rule description in the Description column.
  4. Choose Save to apply the configuration changes.

08 To remove entirely the inbound rule that allows unrestricted SSH access, perform the following actions:

  1. Select the rule that you want to delete and choose Delete in the Actions column.
  2. In the Delete Security Group Rule confirmation box choose OK to confirm the removal.

09 Repeat steps no. 5 - 8 for each ECS security group that you want to configure, available in the selected cloud region.

10 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 Run ModifySecurityGroupRule command (OSX/Linux/UNIX) using the ID of the ECS security group that you want to configure as the identifier parameter, to change the traffic source for the inbound rule that allows unrestricted access (i.e. 0.0.0.0/0) on TCP port 22. For the --SourceCidrIp parameter, you can provide one of the following authorization objects or a combination of objects: your current IP address using CIDR notation (e.g. 10.0.0.5/32), one or more authorized IP addresses and/or IP address ranges using CIDR notation (e.g. 10.0.0.0/16), one or more authorized security groups (e.g. sg-1234abcd1234abcd1234): 

aliyun ecs ModifySecurityGroupRule 
  --region eu-west-1 
  --RegionId 'eu-west-1' 
  --SecurityGroupId 'sg-abcd1234abcd1234abcd' 
  --SecurityGroupRuleId 'sgr-123456789012345678901' 
  --Policy accept 
  --Priority 100 
  --IpProtocol TCP 
  --SourceCidrIp '10.0.0.5/32' 
  --PortRange '22/22' 
  --Description 'Limited SSH Access'

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 To remove entirely the inbound rule that allows unrestricted SSH access, run RevokeSecurityGroup command (OSX/Linux/UNIX) using the ID of the security group rule that you want to delete as the identifier parameter: 

aliyun ecs RevokeSecurityGroup 
  --RegionId 'eu-west-1' 
  --SecurityGroupId 'sg-abcd1234abcd1234abcd' 
  --SecurityGroupRuleId.1 'sgr-123456789012345678901'

04 If successful, the output should return the command request ID: 

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

05 Repeat steps no. 1 - 4 for each ECS security group that you want to configure, available in the selected cloud region.

06 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 25, 2024

Related AlibabaCloud-ECS rules