Compute firewall allows unrestricted SSH access Affecting Compute Engine service in Google

Snyk CCSS

Network / Ports

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00377
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

If SSH is open to the internet, attackers can attempt to gain access to VM instances. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

How to fix?

Set source_ranges attribute to specific IP range, for example 192.168.0.0/24.

Example Configuration

resource "google_compute_firewall" "allowed" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["192.168.0.0/24"]
}

Terraform

Resource: google_compute_firewall

References

VPC firewall rules overview