Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Unrestricted SSH Access via Network Security Groups

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Very High (act immediately)
Rule ID: OCI-Networking-005

Check your Oracle Cloud Infrastructure (OCI) network security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 and limit the access to trusted IP addresses or IP ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface. TCP port 22 is used for secure remote login by connecting an SSH client application with an SSH server.

Security

Exposing TCP port 22 (Secure Shell - SSH) to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle (MITM) attacks, and brute-force attacks. Therefore, it is highly recommended to configure your OCI network security groups (NSGs) to limit inbound traffic on TCP port 22 to known and trusted IP addresses only.

Audit

To determine if your OCI network security groups (NSGs) allow unrestricted access on TCP port 22 (SSH), perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Networking console available at https://cloud.oracle.com/networking/.

  3. In the left navigation panel, under Overview, choose Virtual cloud networks.

  4. Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

  5. Click on the name (link) of the Virtual Cloud Network (VCN) that you want to examine.

  6. In the left navigation panel, under Resources, choose Network Security Groups.

  7. Click on the name (link) of the network security group (NSG) that you want to examine, listed in the Name column.

  8. In the Resources navigation panel, choose Security Rules, and select only the Ingress checkbox under Direction to list the inbound rules defined for the selected NSG.

  9. Check the Security Rules list for any inbound rules with the Source attribute set to 0.0.0.0/0, Protocol set to TCP, and Destination Port Range set to 22. If one or more rules match the search criteria, the selected network security group (NSG) has inbound rules that allow unrestricted access on TCP port 22. As a result, the SSH access to the target VM instances is not secured.

  10. Repeat steps no. 7 - 9 for each OCI network security group available for your Virtual Cloud Network (VCN).

  11. Repeat steps no. 5 - 10 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run network nsg list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each network security group (NSG) available in the selected compartment:

    oci network nsg list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested NSG identifiers (IDs):

    [
	"ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

  5. Run network nsg rules list command (Windows/macOS/Linux) with the ID of the OCI network security group (NSG) that you want to examine as the identifier parameter and custom output filters to describe the inbound rules that allow unrestricted network access on TCP port 22 (SSH), configured for the selected NSG:

    oci network nsg rules list
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--all 2>/dev/null | jq -r '.data[] | select(.source == "0.0.0.0/0" and .direction == "INGRESS" and ((."tcp-options"."destination-port-range".max >= 22 and ."tcp-options"."destination-port-range".min <= 22) or ."tcp-options"."destination-port-range" == null))'

  6. The command output should return the inbound rules that allow unrestricted access on TCP port 22:

    {
	"description": null,
	"destination": null,
	"destination-type": null,
	"direction": "INGRESS",
	"icmp-options": null,
	"id": "ABC123",
	"is-stateless": false,
	"is-valid": true,
	"protocol": "6",
	"source": "0.0.0.0/0",
	"source-type": "CIDR_BLOCK",
	"tcp-options": {
		"destination-port-range": {
			"max": 22,
			"min": 22
		},
		"source-port-range": null
	},
	"time-created": "2025-03-04T17:05:18.857000+00:00",
	"udp-options": null
}

    If the network nsg rules list command does not return an output, there are no ingress rules that allow unrestricted SSH access configured for the selected NSG. If the command output returns one of more results, as shown in the example above, there are OCI network security group (NSG) that allow unrestricted inbound access on TCP port 22. As a result, the SSH access to the target VM instances is not secured.

  7. Repeat steps no. 5 and 6 for each OCI network security group available for your Virtual Cloud Network (VCN).

  8. Repeat steps no. 3 - 7 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Remediation / Resolution

To update the inbound rule configuration for your OCI network security groups (NSGs) in order to limit SSH access to trusted networks and machines only (i.e., authorized IP addresses and IP address ranges) or to remove the non-compliant rule entirely, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Networking console available at https://cloud.oracle.com/networking/.

  3. In the left navigation panel, under Overview, choose Virtual cloud networks.

  4. Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

  5. Click on the name (link) of the Virtual Cloud Network (VCN) that you want to access.

  6. In the left navigation panel, under Resources, choose Network Security Groups.

  7. Click on the name (link) of the network security group (NSG) that you want to configure, listed in the Name column.

  8. In the Resources navigation panel, choose Security Rules, and select only the Ingress checkbox under Direction to list the ingress rules defined for the selected NSG.

  9. To change the traffic source for the inbound rule that allows unrestricted access on TCP port 22 (SSH), perform the following actions:

    1. Select the rule that you want to modify and choose Edit.
    2. Replace 0.0.0.0/0 in the Source CIDR box with an authorized IP address or IP address range.
    3. Choose Save changes to apply the configuration changes.

  10. To remove entirely the inbound rule that allows unrestricted SSH access, perform the following actions:

    1. Select the inbound rule that you want to delete and choose Remove.
    2. In the confirmation box choose Remove to confirm the security rule removal.

  11. Repeat steps no. 7 - 10 for each OCI network security group provisioned for your Virtual Cloud Network (VCN).

  12. Repeat steps no. 5 - 11 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

  1. Run network nsg rules update command (OSX/Linux/UNIX) with the ID of the OCI network security group (NSG) that you want to configure as the identifier parameter, to change the traffic source for the inbound rule that allows unrestricted access (i.e., 0.0.0.0/0) on TCP port 22 (SSH). For the "source" configuration attribute, you can provide an authorized IP address or IP address range using CIDR notation (e.g., 10.0.0.30/32 or 10.0.0.0/16):

    oci network nsg rules update
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--security-rules '[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "ABC123", "is-stateless": true, "protocol": "6", "source": "10.0.0.30/32", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 22, "min": 22 }, "source-port-range": null }, "udp-options": null }]'

  2. The command output should return the ingress rules configured for the modified network security group (NSG):

    {
	"data": {
		"security-rules": [
			{
				"description": null,
				"destination": null,
				"destination-type": null,
				"direction": "INGRESS",
				"icmp-options": null,
				"id": "ABC123",
				"is-stateless": true,
				"is-valid": true,
				"protocol": "6",
				"source": "10.0.0.30/32",
				"source-type": "CIDR_BLOCK",
				"tcp-options": {
					"destination-port-range": {
						"max": 22,
						"min": 22
					},
					"source-port-range": null
				},
				"time-created": "2025-03-04T17:34:05.311000+00:00",
				"udp-options": null
			}
		]
	}
}

  3. To remove entirely the NSG ingress rule that allows unrestricted SSH access, run network nsg rules remove command (OSX/Linux/UNIX) with the ID of the non-compliant inbound rule that you want to delete as the identifier parameter:

    oci network nsg rules remove
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--security-rule-ids '{"id": "ABC123"}'

  4. The command output should return the ingress rules available for the modified network security group:

    [
	{
		"description": null,
		"destination": null,
		"destination-type": null,
		"direction": "INGRESS",
		"icmp-options": null,
		"id": "ABCABC",
		"is-stateless": false,
		"is-valid": true,
		"protocol": "6",
		"source": "0.0.0.0/0",
		"source-type": "CIDR_BLOCK",
		"tcp-options": {
			"destination-port-range": {
				"max": 443,
				"min": 443
			},
			"source-port-range": null
		},
		"time-created": "2025-03-04T17:18:56.395000+00:00",
		"udp-options": null
	}
]

  5. Repeat steps no. 1 - 4 for each network security group (NSG) created for your Virtual Cloud Network (VCN).

  6. Repeat steps no. 1 - 5 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

References

Publication date Mar 12, 2025

Related OCI-Networking rules