Google Cloud VPC
      Back to home
      1. Knowledge Base
      2. GCP Knowledge Base
      3. Google Cloud VPC

      Open SSH

      RISK LEVEL

      High


      DESCRIPTION

      This plugin determines if TCP port: 22 for SSH is open to the public. Also, it consists of valid steps or measures to be taken to avoid unhealthy vulnerability to all IP addresses ranges i.e. 0.0.0.0/0. While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SSH should be restricted to known IP addresses.


      ABOUT THE SERVICE

      Google Cloud VPC:

      According to Google definitions, VPC which stands for a Virtual Private Network is a virtual version of a physical layer, implemented inside of Google’s Production Network, using Andromeda. The Virtual Private Network offers various features including, connectivity for your Compute Engine Virtual Machine (VM) instances, Google Kubernetes Engine (GKE) clusters, etc. It helps to load balancing and proxy systems for internal system affairs. It even allows assistance in the traffic from Google Cloud external load to backends. Users can have the advantage of containing multiple VPC Networks over a single GCP Project. Various default features are already enabled with VPC Networks, for instance, logging metadata is incorporated into your Virtual Private Cloud (VPC) firewall log files. Click here to read more about Google Cloud VPC Networks.


      IMPACT

      SSH is an acronym that stands for Secure Shell. VPC firewall rules control approaching and active traffic to the VM occurrences accessible inside your VPC organization. Uncovering Secure Shell (SSH) port 22 to the Internet can expand openings for malignant exercises, for example, hacking, Man-In-The-Middle assaults (MITM), and savage power assaults, along these lines it is unequivocally prescribed to arrange your Google Cloud VPC firewall rules to restrict inbound traffic on TCP port 22 to realized IP tends to only. Check your Google Cloud Virtual Private Cloud (VPC) firewall decides for inbound principles that permit unhindered access (for example 0.0.0.0/0) on TCP port 22 and confine the admittance to believed IP locations or IP runs simply to carry out the guideline of least advantage and lessen the assault surface. TCP port 22 is utilized for secure remote login by associating an SSH customer application with an SSH server.


      STEPS TO REPRODUCE

      Using GCP Console-

      In order to determine if your Google Cloud Virtual Private Cloud Firewall Rules permits access without restrictions on TCP port:22, follow the steps mentioned below:

      1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
      2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
      3. From the Navigation Menu on the left, you may find the Networking section.
      4. Click on the VPC Network subsection under Networking.
      5. Under the VPC Network navigation panel, you may find Firewall as shown in the figure below. 
      6. Click on the Firewall navigation link and a VPC Network Firewall dashboard will appear on the screen. Click to open directly from here. 
      7. On the Firewall dashboard, reach the Filter option in the table and click on it.
      8. Set the values of properties in the Filter option as:
        1. Disabled: False
        2. Type: Ingress

      9. Under Step 8.a, by setting Disabled property to False, it will list down all the egress and ingress rules enabled in your selected GCP Project for all the resources.
      10. Under Step 8.b, by setting Type property to Ingress, it will list down all the ingress rules enabled in your selected GCP Project for all the resources.
      11. Among the filtered list of firewall rules, check for the inbound rules with Protocols or Ports attribute equal to tcp:22 or tcp:0-65535.
      12. Now check for other attributes, if Action is set to Allow and Filters is set to IP ranges: 0.0.0.0/0.
      13. If there exist rules which are fit this criterion, that means there are VPC Network firewall rules that allow unrestricted access on TCP port:22. Hence, the SSH access to that associated GCP VM instance is unsecured.
      14. This way you can check out if the SMTP access is unsecured or secured for the Virtual Private Cloud Network firewall rules.
      15. Repeat the steps mentioned above for reviewing accounts in other folders/projects associated with other GCP organizations deployed within your record.


      STEPS FOR REMEDIATION

      Using GCP Console-

      In order to update or reestablish your VPC network firewall rules configuration to restrict  Secure Shell (SSH) access for trusted authorized IP addresses or IP ranges only, follow the steps given below:

      1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
      2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
      3. From the Navigation Menu on the left, you may find the Networking section.
      4. Click on the VPC Network subsection under Networking.
      5. Under the VPC Network navigation panel, you may find Firewall as shown in the figure below. 
      6. Click on the Firewall navigation link and a VPC Network Firewall dashboard will appear on the screen. Click to open directly from here. 
      7. On the Firewall dashboard, reach the Filter option in the table and click on it.
      8. Set the values of properties in the Filter option as:
        1. Disabled: False
        2. Type: Ingress

      9. Under Step 8.a, by setting Disabled property to False, it will list down all the egress and ingress rules enabled in your selected GCP Project for all the resources.
      10. Under Step 8.b, by setting Type property to Ingress, it will list down all the ingress rules enabled in your selected GCP Project for all the resources.
      11. Among the filtered list of firewall rules, check for the inbound rules with Protocols or Ports attribute equal to tcp:22.
      12. Now check for other attributes, if Action is set to Allow and Filters is set to IP ranges: 0.0.0.0/0.
      13. Click on the name of the rule that fits the steps 11, 12 criteria to reconfigure the settings. A new page of that firewall network rule will be opened.
      14. Now, click on the Edit button present at the top of the dashboard page.
      15. Remove the non-compliant or non-biddable 0.0.0.0/0 IP address range under the Source IP ranges configuration section. This is done to deny public inbound access on port:22 of TCP in SSH.
      16. Now, type the IP address ranges into the Source IP ranges configuration section. The entered IP address range must be in desired CIDR format like 10.128.0.0/9. The IP range can have addressed included in your VPC network and even outside of your network.
      17. After ensuring your edited options, click on SAVE  Button to apply changes and go back to the previous page.
      18. You may repeat steps 11-16 for other firewall rules with TCP port: 22 in your GCP Project.
      19. You may repeat the above steps for other GCP Projects under your organization.