- Knowledge Base
- Alibaba Cloud
- Alibaba Cloud VPC
- Restrict Network Access to Remote Console Services
Ensure that your Elastic Compute Service (ECS) security groups restrict access to remote console services (SSH and RDP) by blocking unrestricted access (0.0.0.0/0). This practice aligns with the Principle of Least Privilege (POLP) and helps minimize the potential attack surface.
Security Exposing the remote console service ports such as TCP port 22 (SSH) and TCP port 3389 (RDP) to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle (MITM) attacks and brute-force attacks, therefore it is strongly recommended to configure your Elastic Compute Service (ECS) security groups to limit inbound traffic on these ports to known and trusted IP addresses only.
Audit
To determine if the network access to remote console services is restricted, perform the following operations:
Using Alibaba Cloud Console
01 Sign in to your Alibaba Cloud account.
02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.
03 In the left navigation panel, under Network & Security, choose Security Groups.
04 Select the cloud region where your ECS security groups reside from the top navigation bar.
05 Click on the ID (link) of the security group that you want to examine, listed in the Security Group ID/Name.
06 Select the Security Group Details tab and choose the Inbound tab to access the ingress rules defined for the selected security group.
07 Check the rules list for any inbound rules with the Protocol Type attribute set to Custom TCP, Port Range set to Destination: 22/22, Destination: 3389/3389, or Destination: 1/65535, and the Authorization Object set to Source 0.0.0.0/0. If one or more rules match the search criteria, there are inbound rules that allow unrestricted access on TCP port 22 and/or TCP port 3389, therefore the network access to remote console services is not restricted.
08 Repeat steps no. 5 - 7 for each ECS security group available in the selected cloud region.
09 Change the cloud region from the top navigation bar and perform the Audit process for other regions.
Using Alibaba Cloud CLI
01 Run DescribeSecurityGroups command (OSX/Linux/UNIX) to describe the information available for each ECS security group provisioned in the specified cloud region:
aliyun ecs DescribeSecurityGroups --RegionId 'eu-west-1'
02 The command output should return the requested details (including the security group ID):
{
"SecurityGroups": {
"SecurityGroup": [
{
"CreationTime": "2024-02-24T17:42:55Z",
"Description": "",
"SecurityGroupId": "sg-abcd1234abcd1234abcd",
"SecurityGroupName": "sg-abcd1234abcd1234abcd",
"SecurityGroupType": "normal",
"ServiceManaged": false,
"VpcId": "vpc-123456789012345678901"
},
{
"CreationTime": "2024-02-23T17:52:37Z",
"Description": "",
"SecurityGroupId": "sg-1234abcd1234abcd1234",
"SecurityGroupName": "sg-1234abcd1234abcd1234",
"SecurityGroupType": "normal",
"ServiceManaged": false,
"VpcId": "vpc-123456789012345678901"
}
]
},
"TotalCount": 2,
"PageNumber": 1,
"PageSize": 10,
"RegionId": "eu-west-1",
"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}
03 Run DescribeSecurityGroupAttribute command (OSX/Linux/UNIX) using the ID of the ECS security group that you want to examine as the identifier parameter, to describe the inbound rules defined for the selected security group:
aliyun ecs DescribeSecurityGroupAttribute --RegionId 'eu-west-1' --SecurityGroupId 'sg-abcd1234abcd1234abcd' --Direction ingress
04 The command output should return the requested configuration information:
{
"Description": "System created security group.",
"InnerAccessPolicy": "Accept",
"Permissions": {
"Permission": [
{
"CreateTime": "2024-02-23T17:52:37Z",
"Description": "Allow SSH Access",
"DestCidrIp": "",
"DestGroupId": "",
"DestGroupName": "",
"DestGroupOwnerAccount": "",
"DestPrefixListId": "",
"DestPrefixListName": "",
"Direction": "ingress",
"IpProtocol": "TCP",
"Ipv6DestCidrIp": "",
"Ipv6SourceCidrIp": "",
"NicType": "intranet",
"Policy": "Accept",
"PortRange": "22/22",
"Priority": 100,
"SecurityGroupRuleId": "sgr-123456789012345678901",
"SourceCidrIp": "0.0.0.0/0",
"SourceGroupId": "",
"SourceGroupName": "",
"SourceGroupOwnerAccount": "",
"SourcePortRange": "",
"SourcePrefixListId": "",
"SourcePrefixListName": ""
},
{
"CreateTime": "2024-02-24T16:55:42Z",
"Description": "Allow full access",
"DestCidrIp": "",
"DestGroupId": "",
"DestGroupName": "",
"DestGroupOwnerAccount": "",
"DestPrefixListId": "",
"DestPrefixListName": "",
"Direction": "ingress",
"IpProtocol": "TCP",
"Ipv6DestCidrIp": "",
"Ipv6SourceCidrIp": "",
"NicType": "intranet",
"Policy": "Accept",
"PortRange": "1/65535",
"Priority": 1,
"SecurityGroupRuleId": "sgr-abcd1234abcd1234abcd1",
"SourceCidrIp": "0.0.0.0/0",
"SourceGroupId": "",
"SourceGroupName": "",
"SourceGroupOwnerAccount": "",
"SourcePortRange": "",
"SourcePrefixListId": "",
"SourcePrefixListName": ""
}
]
},
"RegionId": "eu-west-1",
"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
"SecurityGroupId": "sg-abcd1234abcd1234abcd",
"SecurityGroupName": "sg-abcd1234abcd1234abcd",
"VpcId": "vpc-123456789012345678901"
}
Check the inbound rules listed within the "Permission" array for any rules with the "IpProtocol" attribute set to "TCP", "PortRange" set to "22/22", "3389/3389", or "1/65535", and the "SourceCidrIp" set to "0.0.0.0/0". If one or more rules match the search criteria, there are inbound rules that allow unrestricted access on TCP port 22 and/or TCP port 3389, therefore the network access to remote console services is not restricted.
05 Repeat steps no. 3 and 4 for each ECS security group available within the selected cloud region.
06 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To restrict network access to remote console services on TCP port 22 (SSH) and TCP port 3389 (RDP), perform the following operations:
Using Alibaba Cloud Console
01 Sign in to your Alibaba Cloud account.
02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.
03 In the left navigation panel, under Network & Security, choose Security Groups.
04 Select the cloud region where your ECS security groups reside from the top navigation bar.
05 Click on the ID (link) of the security group that you want to configure, listed in the Security Group ID/Name.
06 Select the Security Group Details tab and choose the Inbound tab to access the ingress rules defined for the selected security group.
07 To change the traffic source for the inbound rule that allows unrestricted SSH/RDP access, perform the following actions:
- Select the rule that you want to modify and choose Modify in the Actions column.
- Remove 0.0.0.0/0 from Source and provide one of the following authorization objects or a combination of objects: your current IP address, one or more authorized IP addresses and/or IP address ranges, one or more authorized security groups.
- (Optional) Change the rule description in the Description column.
- Choose Save to apply the configuration changes.
08 Repeat steps no. 5 - 7 for each ECS security group that you want to configure, available in the selected cloud region.
09 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.
Using Alibaba Cloud CLI
01 Run ModifySecurityGroupRule command (OSX/Linux/UNIX) using the ID of the ECS security group that you want to configure as the identifier parameter, to change the traffic source for the inbound rule that allows unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 (SSH). For the --SourceCidrIp parameter, you can provide one of the following authorization objects or a combination of objects: your current IP address using CIDR notation (e.g. 10.0.0.5/32), one or more authorized IP addresses and/or IP address ranges using CIDR notation (e.g. 10.0.0.0/16), one or more authorized security groups (e.g. sg-1234abcd1234abcd1234):
aliyun ecs ModifySecurityGroupRule --region eu-west-1 --RegionId 'eu-west-1' --SecurityGroupId 'sg-abcd1234abcd1234abcd' --SecurityGroupRuleId 'sgr-123456789012345678901' --Policy accept --Priority 100 --IpProtocol TCP --SourceCidrIp '10.0.0.5/32' --PortRange '22/22' --Description 'Limited SSH Access'
02 If successful, the output should return the command request ID:
{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}
03 Run ModifySecurityGroupRule command (OSX/Linux/UNIX) using the ID of the ECS security group that you want to configure as the identifier parameter, to change the traffic source for the inbound rule that allows unrestricted access on TCP port 3389 (RDP). For the --SourceCidrIp parameter, you can provide one of the following authorization objects or a combination of objects: your current IP address using CIDR notation, one or more authorized IP addresses and/or IP address ranges using CIDR notation, one or more authorized security groups:
aliyun ecs ModifySecurityGroupRule --region eu-west-1 --RegionId 'eu-west-1' --SecurityGroupId 'sg-1234abcd1234abcd1234' --SecurityGroupRuleId 'sgr-abcdabcdabcdabcdabcda' --Policy accept --Priority 100 --IpProtocol TCP --SourceCidrIp '10.0.0.0/16' --PortRange '3389/3389' --Description 'Limited RDP Access'
04 If successful, the output should return the command request ID:
{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}
05 Repeat steps no. 1 - 4 for each ECS security group that you want to configure, available in the selected cloud region.
06 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.
References
- Alibaba Cloud Documentation
- Security group rules
- Best practices of the security group (part 1)
- Best practices for ECS security groups (security group authorization)
- Best practices for ECS security groups (security group settings)
- ossutil Documentation
- DescribeSecurityGroups
- DescribeSecurityGroupAttribute
- ModifySecurityGroupRule