SSH Access Is Not Restricted

  • Query id: b2fbf1df-76dd-4d78-a6c0-e538f4a9b016
  • Query name: SSH Access Is Not Restricted
  • Platform: Ansible
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
- name: ssh_unrestricted
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '22'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    source_ranges:
    - "0.0.0.0/0"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: ssh_restricted
  google.cloud.gcp_compute_firewall:
    name: test_object
    denied:
    - ip_protocol: tcp
      ports:
      - '22'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    source_ranges:
    - 0.0.0.0