Network firewall rules should not permit ingress from 0.0.0.0/0 to port 22 (SSH)

Description

If SSH is open to the internet, attackers can attempt to gain access to VM instances. Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Remediation Steps

Google Cloud Console

  • Navigate to VPC networks.

  • In the left navigation, select Firewall.

  • Click the firewall rule that has Protocols/ports set to “tcp:22” and Filters set to “IP ranges: 0.0.0.0/0.”

  • Click EDIT.

  • Modify Source IP ranges to a specific IP.

  • Click Save.

gcloud CLI

  • To update a firewall with a new source IP range:

    • gcloud compute firewall-rules update FIREWALL_NAME --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]