SSH Access Is Not Restricted
- Query id: b2fbf1df-76dd-4d78-a6c0-e538f4a9b016
- Query name: SSH Access Is Not Restricted
- Platform: Ansible
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: ssh_unrestricted
google.cloud.gcp_compute_firewall:
name: test_object
allowed:
- ip_protocol: tcp
ports:
- '22'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
source_ranges:
- "0.0.0.0/0"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: ssh_restricted
google.cloud.gcp_compute_firewall:
name: test_object
denied:
- ip_protocol: tcp
ports:
- '22'
target_tags:
- test-ssh-server
- staging-ssh-server
source_tags:
- test-ssh-clients
project: test_project
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
source_ranges:
- 0.0.0.0