app service Azure Containers Functions Security Center

Testing log – Blocking reverse shell from App Service (Linux) while allowing access to management and Azure Services

I wanted to quickly document some settings I’ve configured for app service, in order to harden the network side of App Service.

Disclaimer: The post doesn’t highlight background on reverse shells, or network hardening of App Service in general, as its about documenting the method of preventing non dns-tunneling based reverse shells on App Service – Also testing is highly experimental, before implementing outbound restrictions on your app service app / function, research the dependencies thoroughly, and do extensive testing before any production change

Post Contents

Short background

  • It’s really good to get alerts from Reverse Shells from Azure Security Center in the first place (This is for VM’s but has neat description on reverse shells)
https://docs.microsoft.com/en-us/azure/security-center/alerts-reference

Testing reverse Shell on App Service

Easiest way to test the reverse shell on App Service is using the ’Open an SSH session to a Linux container in Azure App Service’ method detailed here

  • Getting reverse shell on app can happen in many ways, Remote Code Execution being one of the examples
    • Reverse Shells are good, because they don’t require inbound SSH connectivity in the compromised resource. Its enough that the compromised resource allows outbound connections
https://docs.microsoft.com/en-us/azure/app-service/configure-linux-open-ssh-session

Successful Reverse Shell on App Service

Blocking Reverse Shell

VNET settings for App Service on Linux used to mitigate reverse shell

  • You might need to adjust these per use case, as Its good to understand, that for this configuration you need to allow internet based (outbound initiated) destinations exclusively.

For further info check the excellent article at https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options

  • In order to apply the NSG for the app service you must configure the following app setting
https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#regional-virtual-network-integration
  • App Service VNET settings
  • Subnet NSG
  • AzureCloud is tagged to allow traffic to various Azure destinations
  • Most important rule is to block internet with the ”Internet” tag, and put other rules below it in priority

Expected result

Ending words

Configuring network settings on App Service is a breeze these days! Maybe next blog shall be on some more advanced configurations

Br, Joosua

Till next time!

0 comments on “Testing log – Blocking reverse shell from App Service (Linux) while allowing access to management and Azure Services

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: