Compute firewall allows unrestricted SSH access Affecting Compute Engine service in Google


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Network / Ports

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CIS-Google CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00377
  • credit Snyk Research Team

Description

If SSH is open to the internet, attackers can attempt to gain access to VM instances. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

How to fix?

Set source_ranges attribute to specific IP range, for example 192.168.0.0/24.

Example Configuration

resource "google_compute_firewall" "allowed" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["192.168.0.0/24"]
}