ssh-blocked-from-internet
Explanation
SSH access can be configured on either the network security group or in the network security group rule.
SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)
Possible Impact
Its dangerous to allow SSH access from the internet
Suggested Resolution
Block port 22 access from the internet
Insecure Example
The following example will fail the azure-network-ssh-blocked-from-internet check.
resource "azurerm_network_security_rule" "bad_example" {
name = "bad_example_security_rule"
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = ["22"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
resource "azurerm_network_security_group" "example" {
name = "tf-appsecuritygroup"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
security_rule {
source_port_range = "any"
destination_port_range = ["22"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
Secure Example
The following example will pass the azure-network-ssh-blocked-from-internet check.
resource "azurerm_network_security_rule" "good_example" {
name = "good_example_security_rule"
direction = "Inbound"
access = "Allow"
protocol = "TCP"
source_port_range = "*"
destination_port_range = ["22"]
source_address_prefix = "82.102.23.23"
destination_address_prefix = "*"
}
resource "azurerm_network_security_group" "example" {
name = "tf-appsecuritygroup"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
security_rule {
source_port_range = "any"
destination_port_range = ["22"]
source_address_prefix = "82.102.23.23"
destination_address_prefix = "*"
}
}