Check for Unrestricted SSH Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: (act immediately)

Check your Google Cloud Virtual Private Cloud (VPC) firewall rules for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 and restrict the access to trusted IP addresses or IP ranges only in order to implement the principle of least privilege and reduce the attack surface. TCP port 22 is used for secure remote login by connecting an SSH client application with an SSH server.

Security

VPC firewall rules control incoming and outgoing traffic to the VM instances available within your VPC network. Exposing Secure Shell (SSH) port 22 to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle attacks (MITM) and brute-force attacks, therefore it is strongly recommended to configure your Google Cloud VPC firewall rules to limit inbound traffic on TCP port 22 to known IP addresses only.


Audit

To determine if your VPC firewall rules allow unrestricted access on TCP port 22 (SSH), perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall rules, click inside the Filter table box, set Type to Ingress and Disabled to False, to list all the inbound/ingress rules enabled for the selected project.

05 Check the filtered list for any inbound rules with the Protocols / ports attribute set to tcp:22 or tcp:0-65535, Action to Allow, and Filters to IP ranges: 0.0.0.0/0. If one or more rules match the filtering criteria, there are VPC firewall rules that allow unrestricted access on TCP port 22, defined for the selected project, therefore the SSH access to the associated Google Cloud VM instances is not secured.

06 Repeat steps no. 2 – 5 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-project5-stack-123123
cc-production-app-112233

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created inside the selected GCP project:

gcloud compute networks list
	--project cc-project5-stack-123123
	--format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the selected project:

NAME
cc-web-stack-network

05 Run compute firewall-rules list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as identifier parameter and custom filtering to describe all the firewall rules defined for the selected Virtual Private Cloud (VPC):

gcloud compute firewall-rules list
	--filter network=cc-web-stack-network
	--sort-by priority
	--format=table"(name,disabled,direction,sourceRanges,allowed[].map().firewall_rule().list())"

06 The command output should return the information available for the existing VPC firewall rules:

NAME                   DISABLED  DIRECTION  SOURCE_RANGES     ALLOW
cc-web-allow-icmp      True      INGRESS    ['0.0.0.0/0']     icmp
cc-web-allow-internal  False     INGRESS    ['10.128.0.0/9']  tcp:0-65535,udp:0-65535,icmp
cc-web-allow-ssh       False     INGRESS    ['0.0.0.0/0']     tcp:22

Check the compute firewall-rules list command output for any enabled firewall rules (i.e. DISABLED flag set to False) with the DIRECTION set to INGRESS, SOURCE_RANGES set to ['0.0.0.0/0'], and ALLOW set to tcp:22 or tcp:0-65535. If one or more rules match the search criteria, there are VPC firewall rules that allow unrestricted access on TCP port 22, defined for the selected VPC, therefore the SSH access to the associated Google Cloud VM instances is not secured.

07 Repeat step no. 5 and 6 for each VPC network created for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To update your VPC network firewall rule configuration in order to restrict Secure Shell (SSH) access to trusted, authorized IP addresses or IP ranges only, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select Firewall rules to access the list of VPC firewall rules created for the selected project.

05 Click on the name of the firewall rule that allows unrestricted inbound access on TCP port 22 (see Audit section part I to identify the right rule), then click on the Edit button from the dashboard top menu to access the rule configuration settings.

06 On the selected rule configuration page, perform the following actions:

  1. Remove the overly permissive 0.0.0.0/0 IP range from the Source IP ranges field to deny unrestricted (public) inbound access on TCP port 22 (SSH).
  2. Type the source IP address(es) or IP address range(s) into the Source IP ranges field to define the source for the incoming traffic on TCP port 22. The allowed IP address blocks must be specified in CIDR format (e.g. 10.0.2.0/24). The IP range(s) can include addresses inside your VPC network and addresses outside the network. Source IP range(s) can be used to define sources both inside and outside Google Cloud Platform (GCP).
  3. Click Save to apply the configuration changes.

07 If required, repeat step no. 5 and 6 to reconfigure other VPC firewall rules that allow unrestricted inbound access on TCP port 22 (SSH).

08 Repeat steps no. 2 – 7 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute firewall-rules update command (Windows/macOS/Linux) to reconfigure the firewall rule that allows unrestricted inbound access on TCP port 22 (see Audit section part II to identify the right rule) by replacing the overly permissive 0.0.0.0/0 IP source range with a trusted, authorized IP address or IP range. The IP range(s) can include addresses inside your VPC network and addresses outside the network. The allowed IP address blocks must be specified in CIDR format. You can specify a single value (e.g. 10.0.1.5/32) or a comma-separated list of multiple values (e.g. 10.0.1.5/32, 10.0.2.0/24):

gcloud compute firewall-rules update cc-web-allow-ssh
	--allow tcp:22
	--source-ranges=10.0.2.0/24
	--description="Allow SSH from trusted IP range"

02 The command output should return the ID of the reconfigured VPC firewall rule:

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/firewalls/cc-web-allow-ssh].

03 If required, repeat step no. 1 and 2 to reconfigure other VPC firewall rules that allow unrestricted inbound access on TCP port 22 (SSH).

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 12, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Unrestricted SSH Access

Risk level: