Ensure that SSH access from the Internet is evaluated and restricted

Risk Level: High
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.27
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

NetworkSecurityGroup should not have inboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=22 and destinationPortTo>=22 ] and protocol in('TCP','All') and action='ALLOW' and sourceAddressPrefixes contain [ '0.0.0.0/0' ]]

REMEDIATION

Disable direct SSH access to your Azure Virtual Machines from the Internet.

1. For each VM, open the Networking blade
2. From the Inbound port rules, click on the inbound rule with name SSH
3. Change the Action toggle button to 'Deny' and click save

After direct SSH access from the Internet is disabled, you have other options you can use to access these virtual machines for remote management:
-Point-to-site VPN
-Site-to-site VPN
-ExpressRoute

Default Value:
By default, SSH access from internet is not enabled.

References
https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines

Network security group

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Compliance Frameworks

• AZU PCI-DSS 4.0
• Azure CIS Foundations v. 1.1.0
• Azure CIS Foundations v. 1.2.0
• Azure CIS Foundations v. 1.3.0
• Azure CIS Foundations v. 1.3.1
• Azure CIS Foundations v. 1.4.0
• Azure CIS Foundations v. 1.5.0
• Azure CIS Foundations v.2.0
• Azure CloudGuard Best Practices
• Azure CloudGuard CheckUp
• Azure HITRUST v9.5.0
• Azure NIST 800-53 Rev 5
• CloudGuard Azure All Rules Ruleset
• Microsoft Cloud Security Benchmark