I wanted to quickly document some settings I’ve configured for app service, in order to harden the network side of App Service.
Disclaimer: The post doesn’t highlight background on reverse shells, or network hardening of App Service in general, as its about documenting the method of preventing non dns-tunneling based reverse shells on App Service – Also testing is highly experimental, before implementing outbound restrictions on your app service app / function, research the dependencies thoroughly, and do extensive testing before any production change
- Short background
- Testing reverse Shell on App Service
- VNET settings for App Service on Linux used to mitigate reverse shell
- It’s really good to get alerts from Reverse Shells from Azure Security Center in the first place (This is for VM’s but has neat description on reverse shells)
- Even better is to investigate whether your app design allows blocking outbound network connectivity by required by reverse shell (DNS tunneling is another subject…)
- I’ve written also some specifics to VNET integration in App Service App Service – Key Vault Vnet Service Endpoint access options explored + NodeJS runtime examples
Testing reverse Shell on App Service
Easiest way to test the reverse shell on App Service is using the ’Open an SSH session to a Linux container in Azure App Service’ method detailed here
- Getting reverse shell on app can happen in many ways, Remote Code Execution being one of the examples
- Reverse Shells are good, because they don’t require inbound SSH connectivity in the compromised resource. Its enough that the compromised resource allows outbound connections
Successful Reverse Shell on App Service
Blocking Reverse Shell
VNET settings for App Service on Linux used to mitigate reverse shell
- You might need to adjust these per use case, as Its good to understand, that for this configuration you need to allow internet based (outbound initiated) destinations exclusively.
For further info check the excellent article at https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options
- In order to apply the NSG for the app service you must configure the following app setting
- App Service VNET settings
- Subnet NSG
- AzureCloud is tagged to allow traffic to various Azure destinations
- Most important rule is to block internet with the ”Internet” tag, and put other rules below it in priority
Configuring network settings on App Service is a breeze these days! Maybe next blog shall be on some more advanced configurations
Till next time!