Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 22

Error: Alibaba Cloud Security group allows internet traffic to SSH port (22)

Bridgecrew Policy ID: BC_ALI_NETWORKING_2
Checkov Check ID: CKV_ALI_2
Severity: HIGH

Alibaba Cloud Security group allows internet traffic to SSH port (22)

Description

This policy identifies Security groups that allow inbound traffic on SSH port (22) from the public internet. As a best practice, restrict security groups to only allow permitted traffic and limit brute force attacks on your network.

Fix - Runtime

Alibaba Cloud Portal

Log in to Alibaba Cloud Portal
Go to Elastic Compute Service
In the left-side navigation pane, choose Network & Security > Security Groups
Select the reported security group and then click Add Rules in the Actions column
In Inbound tab, Select the rule having 'Action' as Allow, 'Authorization Object' as 0.0.0.0/0 and 'Port Range' value as 22, Click Modify in the Actions column
Replace the value 0.0.0.0/0 with specific IP address range.
Click on 'OK'

Fix - Buildtime

Terraform

resource "alicloud_security_group_rule" "allow_all_vncserver" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "internet"
  policy            = "accept"
  port_range        = "5900/5900"
  security_group_id = alicloud_security_group.default.id
  cidr_ip           = "0.0.0.0/0"
}
Footer
© 2022 GitHub, Inc.
Footer navigation

Updated 10 months ago