VPC firewall rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)¶
Description¶
VPC firewall rules should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.
Remediation Steps¶
Google Cloud Console¶
Navigate to VPC networks.
In the left navigation, select Firewall.
Click the firewall rule that has Protocols/ports set to “ssh:22” and Filters set to “IP ranges: 0.0.0.0/0.”
Click EDIT.
Modify Source IP ranges to a specific IP.
Click Save.
gcloud CLI¶
To update a firewall with a new source IP range:
gcloud compute firewall-rules update FIREWALL_NAME --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]
Terraform¶
Ensure that you
deny
any ingress fromport 22
deny {
ports = ["22"]
}
Example Configuration¶
resource "google_compute_firewall" "rules" {
project = var.project_id # Replace this with your project ID in quotes
name = "my-firewall-rule"
network = "default"
description = "Creates firewall rule that does not permit ingress from '0.0.0.0/0' to port 22 (SSH)"
deny {
ports = ["22"]
}
}