Context
From security audit (#114). Port 22 is currently open to 0.0.0.0/0 in the EC2 security group (infrastructure/pulumi/index.ts:26-30).
While password auth is disabled and only key-based auth is allowed, restricting SSH source IPs reduces attack surface against brute-force attempts.
Action
- Determine the set of IPs/CIDRs that need SSH access
- Update the security group ingress rule in Pulumi
- Consider adding fail2ban as an additional layer
Severity
Medium — mitigated by key-only auth.
Context
From security audit (#114). Port 22 is currently open to
0.0.0.0/0in the EC2 security group (infrastructure/pulumi/index.ts:26-30).While password auth is disabled and only key-based auth is allowed, restricting SSH source IPs reduces attack surface against brute-force attempts.
Action
Severity
Medium — mitigated by key-only auth.