nuclei-templates/cloud/alibaba/ecs/unrestricted-ssh-access.yaml

id: unrestricted-ssh-access

info:
  name: Unrestricted - SSH Access
  author: DhiyaneshDK
  severity: high
  description: |
    Unrestricted SSH access allows anyone on the internet to attempt connections to your instance over port 22, posing a risk of brute force attacks, unauthorized access, and exploitation of SSH vulnerabilities. Limiting access to trusted IPs is essential to secure your instance.
  reference:
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-ECS/unrestricted-ssh-access.html
    - https://www.alibabacloud.com/help/en/ecs/use-cases/best-practices-of-the-security-group
  metadata:
    max-request: 1
    verified: true
  tags: cloud,devops,aliyun,alibaba,alibaba-cloud-config,ecs

variables:
  region: "cn-hangzhou"

flow: |
  code(1)
  for(let SecurityGroupId of iterate(template.securitygroup)){
    set("securitygroup", SecurityGroupId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      aliyun ecs DescribeSecurityGroups --RegionId $region

    extractors:
      - type: json
        name: securitygroup
        internal: true
        json:
          - '.SecurityGroups.SecurityGroup[].SecurityGroupId'

  - engine:
      - sh
      - bash
    source: |
      aliyun ecs DescribeSecurityGroupAttribute --SecurityGroupId "$securitygroup" --Direction ingress --RegionId $region

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"IpProtocol": "TCP"'
          - '"PortRange": "22/22"'
          - '"SourceCidrIp": "0.0.0.0/0"'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - 'securitygroup + " contains Unrestricted SSH Access"'
# digest: 490a0046304402202e339cb93aa8335e5ff03f213f08088dabf4a5a13fac0966a611e1f997286afd022069619c73d1d9c73d9b218d18002c77e97eea9b24132fc58195db2a4d1f581fc8:922c64590222798bb761d5b6d8e72950