I have Port 22 open for SSH connections onto my EC2 instance. Got told off by my boss that keeping Port 22 open for SSH connections is a security issue, but he refused to elaborate.

To my understanding, to successfully gain access to the System through the Port 22, an attacker would still need my Access Key, my Secret Key, and even then, would still need the credentials of a high-level user within the organization to be able to access anything through the port.

Why is keeping Port 22 open such a big issue, when all it can be used for is lawful SSH?

CodePudding user response：

SSH is commonly exploited through leaked keys or even brute forcing credentials. As the comments say, it's simply best practice to block port 22 as it adds extra steps for a threat actor looking for easy pickings.

Since this is an AWS environment, I'd consider an alternative like SSM Session Manager where you don't have to open up a port and allows you to control access via IAM. Or if you must have SSH access, use a hardened bastion host preferably limited to access via VPN. These leave much more limited room for exploitation than having port 22 open publicly on all your instances.

CodePudding user response：

SSH, after all, is just an application installed on your server, therefore, it can contain known-vulnerable. An open SSH port (22 or any else) is an attack point for worldwide attackers can "hit" the SSH server application in your server. Of course, you could prevent unauthorized access by SSH keys pair, but there were some known vulnerabilities that can give attackers the privileged to exec remote command (RCE) even without the need to know keys. That's why open wide access should really be limited. With AWS services, recommended using AWS SSM to perform remote exec to EC2 because it no need to expose or install SSH on your server. Every command can be logged for audit purposes.