Verify that SSH access from the Internet is evaluated and restricted

Framework Reference: A.8.20 Integration: Azure – Network Security Groups (NSGs)

Why this matters
SSH (port 22) is a frequent target for brute-force and credential-stuffing attacks. If unrestricted inbound access to port 22 is allowed from the Internet, attackers may gain shell access to virtual machines. From there, they could move laterally across the network or exploit other services. Restricting SSH to trusted IPs or internal networks is critical to minimizing external attack surface and maintaining secure access.


What this check does
This Auto Check verifies that no Network Security Group (NSG) rule allows unrestricted inbound access to TCP port 22 (SSH) from the Internet.

Check Logic:
Passes if:

  • No NSG rule allows inbound access to port 22 (or range including 22)
    AND
  • Source is not set to *, 0.0.0.0/0, /0, Internet, or Any

Fails if:

  • Any NSG rule allows inbound TCP traffic on port 22
    AND
  • Source is publicly routable (e.g. *, 0.0.0.0/0, Internet)

How to fix it

Azure Portal:

  1. Go to "Virtual machines"
  2. For each VM, open the "Networking" blade
  3. Under "Inbound port rules", locate rules with:
  4. Port = 22 or a range including 22
  5. Protocol = TCP or Any
  6. Source = Any, 0.0.0.0/0, or Internet
  7. Action = Allow
  8. Delete or restrict the rule to a known IP address or private network

Azure CLI:

az network nsg list --subscription <subscription-id> --output table

az network nsg rule list \  --resource-group <resource-group> \  --nsg-name <nsg-name> \  --query "[?contains(destinationPortRange, '22')]" 

az network nsg rule delete \  --resource-group <resource-group> \  --nsg-name <nsg-name> \  --name <rule-name>

PowerShell:

Get-AzNetworkSecurityGroup -ResourceGroupName <resource-group> | Get-AzNetworkSecurityRuleConfig | Where-Object {  $_.Direction -eq "Inbound" -and  $_.Access -eq "Allow" -and  $_.DestinationPortRange -eq "22" -and  ($_.SourceAddressPrefix -eq "*" -or $_.SourceAddressPrefix -eq "0.0.0.0/0" -or $_.SourceAddressPrefix -eq "Internet") }

Remove-AzNetworkSecurityRuleConfig `  -Name <rule-name> `  -NetworkSecurityGroup <nsg-object>


Exceptions
None. SSH must never be exposed to the open Internet without explicit justification and tight controls.


Was this article helpful?