Skip to main content


Ensure no network security groups allow ingress from to port 22 (Automated)


Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. Best practices recommend that no security group allows unrestricted ingress to port 22.


From Console:

  1. Login into the OCI Console.

  2. Click the search bar at the top of the screen.

  3. Type Advanced Resource Query and hit enter.

  4. Click the Advanced Resource Query button in the upper right corner of the screen.

  5. Enter the following query in the query box:

    query networksecuritygroup resources where lifeCycleState = 'AVAILABLE'
  6. For each of the network security groups in the returned results, click the name and inspect each of the security rules.

  7. Identify security rules with direction: Ingress, Source:, and Destination Port Range including port: 22.

  8. Either Edit the Security rules to restrict the source and/or port range or delete the rule.

From CLI:

  1. Execute the following command:

    for region in $(oci iam region list | jq -r '.data[] | .name')
    echo "Enumerating region $region"
    for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
    echo "Enumerating compartment $compid"
    for nsgid in $(oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id')
    output=$(oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == "" and .direction == "INGRESS" and ((."tcp-options"."destination-port-range".max >= 22 and ."tcp-options"."destination-port-range".min <= 22) or ."tcp-options"."destination-port-range" == null))')
    if [ ! -z "$output" ]; then echo "nsgid=", $nsgid, "Security Rules=", $output; fi
  2. For each of the network security group security rules identified either:

    • Remove the security rules

      oci network nsg rules remove --nsg-id=<nsg-id>


    • Update the security rules

      oci network nsg rules update --nsg-id=<nsg-id> --security-rules='[<updated security-rules JSON (without isValid and TimeCreated fields)>]'

      For example:

      oci network nsg rules update --nsg-id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security-rules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "", "source-type": "cidr_block", "tcp-options": { "destination-port-range": { "max": 22, "min": 22 }, "source-port-range": null }, "udp-options": null }]'


For updating an existing environment, take care to ensure that administrators currently relying on an existing ingress from have access to ports 22 and/or 3389 through another network security group or security list.