Skip to main content

πŸ›‘οΈ Oracle IAAS Network Security Group allows unrestricted SSH traffic🟒

  • Contextual name: πŸ›‘οΈ IAAS Network Security Group allows unrestricted SSH traffic🟒
  • ID: /ce/ca/oracle/network/network-security-group-allows-unrestricted-ssh-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

  • Internal: dec-x-fe5d4f07

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-fe5d4f071

Description​

Open File

Description​

This policy identifies Oracle IAAS Network Security Groups that allow unrestricted ingress from the internet to the Secure Shell (SSH) port, TCP/22.

Rationale​

SSH is commonly used to administer Linux workloads and other networked systems. Allowing SSH access from 0.0.0.0/0 or ::/0 exposes administrative interfaces to internet-wide scanning, brute-force attempts, credential stuffing, and exploitation of vulnerable SSH services. Network security group rules should allow SSH only from trusted administrative networks, bastion hosts, VPN ranges, or other controlled access paths.

Impact​

Restricting public SSH ingress can block administrative connections that currently depend on open internet access. Confirm that administrators have an approved access path before removing or narrowing existing rules.

Audit​

This policy flags an Oracle IAAS Network Security Group as INCOMPLIANT when it has at least one related rule that meets all of the following conditions:

  • Direction is INGRESS.
  • Source is 0.0.0.0/0 or ::/0.

... see more

Remediation​

Open File

Remediation​

Restrict Public SSH Access​

From OCI CLI​

List the current ingress rules:

oci network nsg rules list \
    --nsg-id {{network-security-group-ocid}} \
    --direction INGRESS \
    --all

If the offending rule is not required, remove it by rule ID:

oci network nsg rules remove \
    --nsg-id {{network-security-group-ocid}} \
    --security-rule-ids '["{{security-rule-id}}"]'

If the rule is required but too broad, generate a sample update payload, edit it to replace public source CIDRs with approved administrative ranges, and apply the update:

oci network nsg rules update --generate-full-command-json-input > update-nsg-rules.json
oci network nsg rules update \
    --nsg-id {{network-security-group-ocid}} \
    --from-json file://update-nsg-rules.json

Update only the specific NSG rules that require correction and verify that unrestricted SSH access has been removed after the change.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;3435no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.4042no data
πŸ’Ό CIS Oracle v3.1.0 β†’ πŸ’Ό 2.3 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 - Level 1 (Automated)11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Network Exposure137no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1168no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)23no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)68no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)23no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction2425no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.21 Security of network services55no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties2362no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented5498no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows4268no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception823no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7145no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.132no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.40no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.32no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.32no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.3040no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.2032no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.832no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet4244no data