GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
MySQL Port Should Not Be Open
More Info:
Determines if TCP port 4333 or 3306 for MySQL is open to the public
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the MySQL port open misconfiguration on GCP using the GCP console, please follow the below steps:
- Log in to the GCP Console (https://console.cloud.google.com/).
- Navigate to the GCP project that has the misconfigured MySQL port.
- In the navigation menu, click on “Compute Engine”.
- Select the VM instance that has the open MySQL port.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Firewall” section and click on “Networking”.
- Under the “Firewall rules” section, click on “default-allow-mysql”.
- Click on the “Delete” button to remove the rule.
- Click on the “Save” button at the bottom of the page to apply the changes.
By following the above steps, you have successfully remediated the MySQL port open misconfiguration on GCP.
To remediate the MySQL port being open on GCP using GCP CLI, follow these steps:
-
Open the GCP Console and go to the Cloud Shell.
-
Run the following command to list all the instances in your project:
gcloud compute instances list
-
Identify the instance that has the open MySQL port.
-
Run the following command to SSH into the instance:
gcloud compute ssh [INSTANCE_NAME]
Replace [INSTANCE_NAME] with the name of the instance that you identified in step 3.
- Once you are logged in to the instance, run the following command to edit the
mysqld.cnffile:
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
- Look for the following line in the file:
bind-address = 0.0.0.0
- Comment out this line by adding a
#at the beginning of the line:
# bind-address = 0.0.0.0
-
Save the changes and exit the file.
-
Restart the MySQL service by running the following command:
sudo service mysql restart
- Exit the SSH session by running the following command:
exit
With these steps, you have successfully remediated the MySQL port being open on your GCP instance using GCP CLI.
To remediate the MySQL Port open misconfiguration in GCP using Python, you can follow the below steps:
- Import the necessary libraries:
from google.cloud import compute_v1
import google.auth
- Authenticate and create a client object:
creds, project = google.auth.default()
compute_client = compute_v1.ComputeClient(credentials=creds)
- Define the project and zone where the instance is located:
project = 'your-project-id'
zone = 'us-central1-a'
- Define the instance name and the network tag associated with the instance:
instance_name = 'your-instance-name'
network_tag = 'your-network-tag'
- Get the instance details using the
getmethod:
instance = compute_client.instances().get(project=project, zone=zone, instance=instance_name).execute()
- Check if the MySQL port is open by looking at the instance’s network tags:
if network_tag in instance['tags']['items']:
if '3306' in instance['metadata']['items'][0]['value']:
print('MySQL port is open')
- If the MySQL port is open, remove it from the instance’s metadata:
metadata = instance['metadata']
items = metadata['items']
new_items = []
for item in items:
if item['key'] == 'gce-container-declaration':
container = json.loads(item['value'])
ports = container['ports']
new_ports = []
for port in ports:
if port['containerPort'] != 3306:
new_ports.append(port)
container['ports'] = new_ports
item['value'] = json.dumps(container)
new_items.append(item)
metadata['items'] = new_items
compute_client.instances().update(project=project, zone=zone, instance=instance_name, body={'metadata': metadata}).execute()
This will remove the MySQL port from the instance’s metadata, effectively closing the port.