SSH Access Is Not Restricted

  • Query id: dee21308-2a7a-49de-8ff7-c9b87e188575
  • Query name: SSH Access Is Not Restricted
  • Platform: GoogleDeploymentManager
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
resources:
  - name: firewall
    type: compute.v1.firewall
    properties:
      name: my-firewall
      sourceRanges:
        - "0.0.0.0/0"
      allowed:
        - IPProtocol: icmp
          ports:
            - "80"
            - "8080"
            - "1000-2000"
            - "22"
Positive test num. 2 - yaml file
resources:
  - name: firewall
    type: compute.v1.firewall
    properties:
      name: my-firewall
      sourceRanges:
        - "0.0.0.0/0"
      allowed:
        - IPProtocol: icmp
          ports:
            - "80"
            - "8080"
            - "1000-2000"
            - "21-3390"
Positive test num. 3 - yaml file
resources:
  - name: firewall
    type: compute.v1.firewall
    properties:
      name: my-firewall
      sourceRanges:
        - "0.0.0.0/0"
      allowed:
        - IPProtocol: all

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
resources:
  - name: firewall
    type: compute.v1.firewall
    properties:
      name: my-firewall
      allowed:
        - IPProtocol: icmp
          ports:
            - "80"
            - "8080"
            - "1000-2000"