Testing log – Blocking reverse shell from App Service (Linux) while allowing access to management and Azure Services

I wanted to quickly document some settings I’ve configured for app service, in order to harden the network side of App Service.

Disclaimer: The post doesn’t highlight background on reverse shells, or network hardening of App Service in general, as its about documenting the method of preventing non dns-tunneling based reverse shells on App Service – Also testing is highly experimental, before implementing outbound restrictions on your app service app / function, research the dependencies thoroughly, and do extensive testing before any production change

Post Contents

• Short background
• Testing reverse Shell on App Service
  • Successful Reverse Shell on App Service
  • Blocking Reverse Shell
• VNET settings for App Service on Linux used to mitigate reverse shell

Short background

• It’s really good to get alerts from Reverse Shells from Azure Security Center in the first place (This is for VM’s but has neat description on reverse shells)

• Even better is to investigate whether your app design allows blocking outbound network connectivity by required by reverse shell (DNS tunneling is another subject…)
• I’ve written also some specifics to VNET integration in App Service App Service – Key Vault Vnet Service Endpoint access options explored + NodeJS runtime examples

Testing reverse Shell on App Service

Easiest way to test the reverse shell on App Service is using the ’Open an SSH session to a Linux container in Azure App Service’ method detailed here

• Getting reverse shell on app can happen in many ways, Remote Code Execution being one of the examples
  • Reverse Shells are good, because they don’t require inbound SSH connectivity in the compromised resource. Its enough that the compromised resource allows outbound connections

Successful Reverse Shell on App Service

Blocking Reverse Shell

VNET settings for App Service on Linux used to mitigate reverse shell

• You might need to adjust these per use case, as Its good to understand, that for this configuration you need to allow internet based (outbound initiated) destinations exclusively.

For further info check the excellent article at https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options

• In order to apply the NSG for the app service you must configure the following app setting

• App Service VNET settings

• Subnet NSG

• AzureCloud is tagged to allow traffic to various Azure destinations
• Most important rule is to block internet with the ”Internet” tag, and put other rules below it in priority

Expected result

Ending words

Configuring network settings on App Service is a breeze these days! Maybe next blog shall be on some more advanced configurations

Br, Joosua

Till next time!