Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 22
Error: Alibaba Cloud Security group allows internet traffic to SSH port (22)
Bridgecrew Policy ID: BC_ALI_NETWORKING_2
Checkov Check ID: CKV_ALI_2
Severity: HIGH
Alibaba Cloud Security group allows internet traffic to SSH port (22)
Description
This policy identifies Security groups that allow inbound traffic on SSH port (22) from the public internet. As a best practice, restrict security groups to only allow permitted traffic and limit brute force attacks on your network.
Fix - Runtime
Alibaba Cloud Portal
- Log in to Alibaba Cloud Portal
- Go to Elastic Compute Service
- In the left-side navigation pane, choose Network & Security > Security Groups
- Select the reported security group and then click Add Rules in the Actions column
- In Inbound tab, Select the rule having 'Action' as Allow, 'Authorization Object' as 0.0.0.0/0 and 'Port Range' value as 22, Click Modify in the Actions column
- Replace the value 0.0.0.0/0 with specific IP address range.
- Click on 'OK'
Fix - Buildtime
Terraform
resource "alicloud_security_group_rule" "allow_all_vncserver" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
port_range = "5900/5900"
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
Footer
© 2022 GitHub, Inc.
Footer navigation
Updated 3 months ago