Description:

SSH (Secure Shell) is a widely used protocol for managing and accessing Linux-based servers and virtual machines. However, if improperly configured, SSH access from the internet can lead to security vulnerabilities, such as brute-force attacks or unauthorized access to your systems. Evaluating and restricting SSH access from the internet ensures that only authorized and trusted users can access your resources while preventing unauthorized or malicious access.

By automating the evaluation and restriction of SSH access, you can enforce security measures like limiting access to specific IP addresses, using Network Security Groups (NSGs), Azure Firewall, or Just-in-Time (JIT) VM access for SSH connections.

Rationale:

Restricting SSH access from the internet mitigates common threats, such as brute force attacks, where attackers attempt to guess passwords or credentials. By ensuring that SSH access is only available from trusted networks or users and disabling unrestricted internet access, you significantly reduce the attack surface.

Impact:

Automating SSH access restriction helps improve security by limiting the potential attack vectors. However, this may affect legitimate access for administrators, remote workers, or other systems that need SSH access. Therefore, the restriction configuration should be carefully reviewed to ensure it doesn't disrupt necessary operations, such as system management or troubleshooting.

Default Value:

By default, SSH access is allowed from the internet unless restricted by Network Security Groups (NSGs), Azure Firewall, or other security policies.

Pre-requisites:

  • Azure subscription.

  • Network Security Groups (NSGs) or Azure Firewall configured.

  • Azure Virtual Machines (VMs) with SSH enabled (typically on port 22).

  • Just-in-Time (JIT) VM Access should be enabled for additional control over SSH access.

  • Owner, Contributor, or Network Contributor role permissions.

Audit:

  1. Sign in to Azure portal as an Owner, Contributor, or Network Contributor.

  2. Navigate to Network Security Groups (NSGs) or Azure Firewall.

  3. Verify that SSH access is properly evaluated and restricted according to your security policies.

Implementation Steps (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Network Contributor permissions.

  2. Navigate to Network Security Groups (NSGs):

    • Go to Network Security Groups (NSGs) in the Azure portal.

  3. Restrict SSH Access Using NSGs:

    • In the NSG, configure Inbound security rules to allow SSH traffic (port 22) only from trusted sources, such as specific IP ranges, subnets, or virtual networks.

    • Deny access from the internet (any source IP) unless it is explicitly needed.

Example of an NSG configuration using Azure CLI to restrict SSH access:

az network nsg rule create \

  --resource-group <Resource-Group-Name> \

  --nsg-name <NSG-Name> \

  --name "Allow-SSH-from-Trusted-IP" \

  --protocol Tcp \

  --direction Inbound \

  --priority 100 \

  --source-address-prefix <Trusted-IP-Ranges> \

  --source-port-range '*' \

  --destination-port-range 22 \

  --access Allow



az network nsg rule create \

  --resource-group <Resource-Group-Name> \

  --nsg-name <NSG-Name> \

  --name "Deny-SSH-All" \

  --protocol Tcp \

  --direction Inbound \

  --priority 200 \

  --source-address-prefix '*' \

  --source-port-range '*' \

  --destination-port-range 22 \

  --access Deny

  1. Use Azure Firewall to Restrict SSH Access:

    • Azure Firewall can also be used to create application rules to control SSH traffic.

    • Configure Azure Firewall to allow SSH traffic only from trusted IP address ranges and deny all other sources.

Example to create an Azure Firewall rule to allow SSH from a trusted source:

az network firewall policy rule-rule-add \

  --policy-name <Firewall-Policy-Name> \

  --rule-type ApplicationRule \

  --rule-name "Allow-SSH-from-Trusted-IP" \

  --action Allow \

  --rule-type Match \

  --destination-address <Destination-IP-Address> \

  --destination-port 22 \

  --source-address <Trusted-IP-Ranges> \

  --protocols TCP

  1. Enable Just-in-Time (JIT) VM Access for SSH:

    • Just-in-Time (JIT) VM Access provides additional control by allowing SSH access only when needed, reducing the window of vulnerability for SSH access.

    • Navigate to Azure Security Center and enable JIT VM Access for the VMs that require SSH access.

    • JIT access allows you to control when and who can access a VM via SSH by automatically managing NSG rules for the VM.

Example of enabling JIT VM Access for SSH in Azure CLI:

az security jit-policy enable \

  --resource-group <Resource-Group-Name> \

  --vm-name <VM-Name> \

  --ports 22 \

  --max-duration 1

  1. Monitor SSH Access with Azure Monitor:

    • Use Azure Monitor to create custom alerts for any unauthorized SSH attempts or anomalies in SSH traffic.

    • Set up Log Analytics to store and query logs related to SSH access to ensure that only authorized users are connecting.

  2. Test and Verify Configuration:

    • After restricting SSH access, test to ensure that only trusted IP ranges can access the VM using SSH.

    • Try connecting via SSH from a non-trusted IP to ensure that access is denied.

Automate Evaluation with Azure Policy: Use Azure Policy to automatically enforce the restriction of SSH access and ensure that only authorized IP ranges are allowed to connect to SSH ports.
 Example Azure Policy to restrict SSH access:

{

  "properties": {

    "displayName": "Restrict SSH Access from the Internet",

    "policyType": "Custom",

    "mode": "All",

    "parameters": {},

    "policyRule": {

      "if": {

        "field": "type",

        "equals": "Microsoft.Network/networkInterfaces"

      },

      "then": {

        "effect": "deny"

      }

    }

  }

}

Backout Plan (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Network Contributor permissions.

  2. Navigate to NSGs or Azure Firewall:

    • Go to Network Security Groups (NSGs) or Azure Firewall in the Azure portal.

  3. Remove or Revert SSH Access Restrictions:

    • In NSGs, remove or adjust the rules that restrict SSH access from the internet.

  4. Revert Just-in-Time (JIT) Access Settings:

    • If JIT VM Access was used, disable or adjust the JIT settings for the VM.

  5. Verify Reverted Configuration:

    • Test to ensure that SSH access is no longer restricted and that the access controls are functioning as expected.

  6. Monitor Access Logs:

    • Use Azure Monitor to ensure that the previous SSH restrictions are not being enforced after the backout.

References: