VPC firewall rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)

Description

VPC firewall rules should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Remediation Steps

Google Cloud Console

  • Navigate to VPC networks.

  • In the left navigation, select Firewall.

  • Click the firewall rule that has Protocols/ports set to “ssh:22” and Filters set to “IP ranges: 0.0.0.0/0.”

  • Click EDIT.

  • Modify Source IP ranges to a specific IP.

  • Click Save.

gcloud CLI

  • To update a firewall with a new source IP range:

    • gcloud compute firewall-rules update FIREWALL_NAME --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]

Terraform

  • Ensure that you deny any ingress from port 22

deny {
  ports    = ["22"]
}

Example Configuration

resource "google_compute_firewall" "rules" {
  project     = var.project_id # Replace this with your project ID in quotes
  name        = "my-firewall-rule"
  network     = "default"
  description = "Creates firewall rule that does not permit ingress from '0.0.0.0/0' to port 22 (SSH)"
  deny {
    ports    = ["22"]
  }
}