Virtual Machines Should Only Allow SSH Based Authentication
More Info:
Ensure that your production Microsoft Azure virtual machines are configured to use SSH keys instead of username/password credentials for SSH authentication.Risk Level
CriticalAddress
SecurityCompliance Standards
PCIDSS, ISO27001, HIPAATriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Virtual Machines Should Only Allow SSH Based Authentication” for AZURE using AZURE console, follow these steps:
- Go to the Azure portal (https://portal.azure.com/) and sign in with your credentials.
- Navigate to the Virtual Machines section.
- Select the virtual machine that needs to be remediated.
- Click on the “Networking” option from the left-hand side menu.
- Under the “Inbound port rules” section, remove the rule for RDP (Remote Desktop Protocol).
- Click on the “Add inbound port rule” button.
- Select “SSH” from the “Service” dropdown menu.
- Select “Any” or “IP Addresses” for the “Source” field, depending on your requirements.
- Click on the “Add” button to add the new rule.
- Save the changes by clicking on the “Save” button at the top of the page.
Using CLI
Using CLI
To remediate the misconfiguration “Virtual Machines Should Only Allow SSH Based Authentication” for AZURE using AZURE CLI, please follow the below steps:
- Open Azure CLI on your local machine or use the Azure Cloud Shell.
-
Run the following command to list all the virtual machines in your subscription:
- Identify the virtual machine that you want to remediate and note down its name and resource group.
-
Run the following command to update the network security group of the virtual machine to allow only SSH-based authentication:
Replace
<vm-name>with the name of your virtual machine and<resource-group-name>with the name of the resource group it belongs to. - This command will remove any load balancer backend address pools from the virtual machine’s network interface, which will restrict access to only SSH-based authentication. Note: This command will not affect any other network security groups that the virtual machine may be associated with.
-
Verify that the remediation is successful by checking the network security group of the virtual machine using the following command:
This command should return an empty array, indicating that there are no load balancer backend address pools associated with the virtual machine’s network interface. Congratulations, you have successfully remediated the misconfiguration “Virtual Machines Should Only Allow SSH Based Authentication” for AZURE using AZURE CLI.
Using Python
Using Python
To remediate the misconfiguration “Virtual Machines Should Only Allow SSH Based Authentication” in Azure using Python, you can use the Azure Python SDK to update the Network Security Group (NSG) rules for the virtual machine. Here are the steps to follow:This code creates a new NSG rule that only allows inbound TCP traffic on port 22 (SSH) and deletes all other rules. The updated NSG is then created or updated in Azure.Note that this code assumes that the virtual machine is already configured to use SSH-based authentication. If not, you will need to configure SSH-based authentication on the virtual machine before updating the NSG rules.
- Install the Azure Python SDK using pip:
- Authenticate to your Azure account using the Azure CLI or by setting environment variables for your Azure credentials.
- Get the NSG associated with the virtual machine:
- Update the NSG rules to only allow SSH traffic: