This rule focuses on restricting ingress from 0.0.0.0/0 to port 22 in security groups.
Rule | Security groups should not allow ingress from 0.0.0.0/0 to port 22 |
Framework | PCI v3.2.1 |
Severity | ✔ High |
Rule Description
This rule sets a security measure to restrict incoming traffic on port 22 (SSH) for PCI v3 compliant systems. It ensures that the security groups in use do not permit any traffic from the IP address range 0.0.0.0/0 (which essentially means any IP address) to access port 22.
Troubleshooting Steps
If there are issues related to this rule, follow these troubleshooting steps:
Necessary Codes
No specific codes are required for this rule. However, modifying the security group's inbound rules might involve running command-line interface (CLI) commands. The necessary CLI command will depend on the cloud platform being used.
Remediation Steps
To remediate this issue, you need to modify the security group associated with the resource(s) to remove or disable the inbound rule allowing traffic from 0.0.0.0/0 on port 22.
Follow these step-by-step instructions:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0
az network nsg rule delete --name SSHRule --nsg-name <security-group-name> --resource-group <resource-group-name>
gcloud compute firewall-rules delete allow-ssh --project=<project-id>
Note
Ensure that you have an alternative method for accessing the resource(s) securely after removing the rule. This might involve allowing access from specific IP ranges or implementing secure connectivity options like VPNs or bastion hosts.