Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services traditionally listen, such as 22
for SSH, can expose these services to exploits and unauthorized access.
Like any other service, administration services can contain vulnerabilities. Administration services run with elevated privileges and thus a vulnerability could have a high impact on the system.
Additionally, credentials might be leaked through phishing or similar techniques. Attackers who are able to reach the services could use the credentials to log in to the system.
It is recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those held by system administrators or those of bastion-like servers.
An ingress rule allowing all inbound SSH traffic:
---
- name: Configure iptables rules
hosts: all
become: yes
tasks:
- name: Allow incoming SSH connections on port 22
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "22" # Noncompliant
jump: ACCEPT
- name: Allow existing connections
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Drop all other incoming traffic
ansible.builtin.iptables:
chain: INPUT
jump: DROP
An ingress rule allowing inbound SSH traffic from specific IP addresses:
---
- name: Configure iptables rules
hosts: all
become: yes
tasks:
- name: Allow incoming SSH connections on port 22
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "22"
source: "42.42.42.42"
jump: ACCEPT
- name: Allow existing connections
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Drop all other incoming traffic
ansible.builtin.iptables:
chain: INPUT
jump: DROP
Ansible Community Documentation - Modify iptables rules