Restrict Traffic for Default Security Lists

Risk Level: Very High (act immediately)

Ensure that your Oracle Cloud Infrastructure (OCI) security lists restrict all ingress network traffic in order to enforce OCI users to create custom security lists that exercise the Principle of Least Privilege (POLP) instead of using the default security lists provided by Virtual Cloud Network (VCN).

Security

In Oracle Cloud Infrastructure (OCI), a default security list is deployed when a Virtual Cloud Network (VCN) is created. This security list, by default, allows unrestricted access on TCP port 22 (SSH). Given that many OCI users often attach the default security list to their compute instances during the launch process, any default security list configured to allow unrestricted access may enhance the risk of malicious activities, including hacking, Denial-of-Service (DoS) attacks, and brute-force attacks.

Audit

To determine if your default security lists allow unrestricted access on TCP port 22 (SSH), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to examine, listed in the Name column.

06 In the left navigation panel, under Resources, choose Security Lists.

07 Click on the name (link) of the default security list created for your VCN. The default security list has the following name: Default Security List for \<vcn-name\>, where \<vcn-name\> is the name of the selected Virtual Cloud Network (VCN).

08 In the Resources navigation panel, choose Ingress Rules to access the inbound rules defined for the selected security list.

09 Check the rules list for any inbound rules with the Source attribute set to 0.0.0.0/0, IP Protocol set to TCP, and Destination Port Range set to 22. If one or more rules match the search criteria, the default security list for the selected Virtual Cloud Network (VCN) has inbound rules that allow unrestricted access on TCP port 22.

10 Repeat steps no. 5 - 9 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run network vcn list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the name of each Virtual Cloud Network (VCN) available in the selected OCI compartment:

oci network vcn list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."display-name"'

04 The command output should return the requested VCN identifiers (names):

[
	"cc-project5-vcn",
	"cc-production-vcn"
]

05 Run network security-list list command (Windows/macOS/Linux) with the name of the default security list as the identifier parameter, the list the ingress rules configured for the specified security list. Use the --display-name parameter to specify the name of the default security list. The default security list has the following name: Default Security List for \<vcn-name\>, where \<vcn-name\> is the name of the Virtual Cloud Network (VCN):

oci network security-list list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'Default Security List for cc-project5-vcn'
	--query 'data[]."ingress-security-rules"'

06 The command output should return the requested ingress security rules:

[
	[
		{
			"description": null,
			"icmp-options": null,
			"is-stateless": false,
			"protocol": "6",
			"source": "0.0.0.0/0",
			"source-type": "CIDR_BLOCK",
			"tcp-options": {
				"destination-port-range": {
					"max": 22,
					"min": 22
				},
				"source-port-range": null
			},
			"udp-options": null
		},
		{
			"description": null,
			"icmp-options": {
				"code": null,
				"type": 3
			},
			"is-stateless": false,
			"protocol": "1",
			"source": "10.0.0.0/16",
			"source-type": "CIDR_BLOCK",
			"tcp-options": null,
			"udp-options": null
		}
	]
]

Check each inbound rule returned by the network security-list list command output for a "source" attribute set to "0.0.0.0/0", "protocol" set to 6, and "destination-port-range" set to "min": 22 and "max": 22. If one or more rules match the search criteria, the default security list for the selected Virtual Cloud Network (VCN) has inbound rules that allow unrestricted access on TCP port 22.

07 Repeat steps no. 5 and 6 for each Virtual Cloud Network created in the selected OCI compartment.

08 Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To update the ingress configuration for your default security lists in order to restrict network access, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to access, listed in the Name column.

06 In the left navigation panel, under Resources, choose Security Lists.

07 Click on the name (link) of the default security list created for your VCN. The default security list has the following name: Default Security List for \<vcn-name\>.

08 In the Resources navigation panel, choose Ingress Rules to access the inbound rules defined for the selected security list.

09 To change the traffic source for the inbound rule that allows unrestricted SSH access, perform the following actions:

Select the rule that you want to modify and choose Edit.
Replace 0.0.0.0/0 in the Source CIDR box with an authorized IP address or IP address range.
Choose Save changes to apply the configuration changes.

10 To remove entirely the inbound rule that allows unrestricted SSH access, perform the following actions:

Select the inbound rule that you want to delete and choose Remove.
In the confirmation box choose Remove to confirm the rule removal.

11 Repeat steps no. 5 - 10 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run network security-list list command (Windows/macOS/Linux) with custom output filters to describe the resource ID for the specified default security list:

oci network security-list list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--display-name 'Default Security List for cc-project5-vcn'
	--query 'data[]."id"'

02 The command output should return the requested ingress security rules:

[
	"ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

03 Run network security-list update command (OSX/Linux/UNIX) with the ID of the default security list that you want to configure as the identifier parameter, to change the traffic source for the inbound rule that allows unrestricted access (i.e., 0.0.0.0/0) on TCP port 22 (SSH). For the "source" configuration attribute, you can provide one or more authorized IP addresses and/or IP address ranges using CIDR notation (e.g., 10.0.0.15/32 or 10.0.0.0/16). IMPORTANT: This command will overwrite existing rules. Ensure that you include all existing ingress rules in the --ingress-security-rules parameter value:

oci network security-list update
	--security-list-id 'ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--ingress-security-rules '[{"source": "10.0.0.15/32", "protocol": "6", "isStateless": true, "tcpOptions": {"destinationPortRange": {"max": 22, "min": 22}}}]'
	--query 'data."ingress-security-rules"'

04 The command output should return the ingress rules configured for the modified security list:

[
	{
		"description": null,
		"icmp-options": null,
		"is-stateless": true,
		"protocol": "6",
		"source": "10.0.0.15/32",
		"source-type": "CIDR_BLOCK",
		"tcp-options": {
			"destination-port-range": {
				"max": 22,
				"min": 22
			},
			"source-port-range": null
		},
		"udp-options": null
	}
]

05 To remove entirely the ingress rule that allows unrestricted SSH access, delete the non-compliant rule by editing the JSON configuration file that defines the security list ingress rules, specified by the --ingress-security-rules parameter, and run network security-list update command (OSX/Linux/UNIX) with the ID of the default security list that you want to update as the identifier parameter:

oci network security-list update
	--security-list-id 'ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--ingress-security-rules file://cc-new-ingress-rules.json
	--query 'data."ingress-security-rules"'

06 The command output should return the ingress rules available for the modified security list:

[
	{
		"description": null,
		"icmp-options": {
			"code": null,
			"type": 3
		},
		"is-stateless": false,
		"protocol": "1",
		"source": "10.0.0.0/16",
		"source-type": "CIDR_BLOCK",
		"tcp-options": null,
		"udp-options": null
	}
]

07 Repeat steps no. 1 - 6 for each Virtual Cloud Network created in the selected OCI compartment.

08 Repeat steps no. 1 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Oracle Cloud Infrastructure Documentation
Working with Security Lists
Getting Details for a Security List
Updating Rules in a Security List

Oracle Cloud Infrastructure CLI Documentation
vcn list
security-list list
security-list update

Publication date Mar 12, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related Networking rules