More Info:

Determines if TCP port 4333 or 3306 for MySQL is open to the public

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the MySQL port open misconfiguration on GCP using the GCP console, please follow the below steps:
  1. Log in to the GCP Console (https://console.cloud.google.com/).
  2. Navigate to the GCP project that has the misconfigured MySQL port.
  3. In the navigation menu, click on “Compute Engine”.
  4. Select the VM instance that has the open MySQL port.
  5. Click on the “Edit” button at the top of the page.
  6. Scroll down to the “Firewall” section and click on “Networking”.
  7. Under the “Firewall rules” section, click on “default-allow-mysql”.
  8. Click on the “Delete” button to remove the rule.
  9. Click on the “Save” button at the bottom of the page to apply the changes.
By following the above steps, you have successfully remediated the MySQL port open misconfiguration on GCP.

To remediate the MySQL port being open on GCP using GCP CLI, follow these steps:
  1. Open the GCP Console and go to the Cloud Shell.
  2. Run the following command to list all the instances in your project:
gcloud compute instances list
  1. Identify the instance that has the open MySQL port.
  2. Run the following command to SSH into the instance:
gcloud compute ssh [INSTANCE_NAME]Replace [INSTANCE_NAME] with the name of the instance that you identified in step 3.
  1. Once you are logged in to the instance, run the following command to edit the mysqld.cnf file:
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
  1. Look for the following line in the file:
bind-address = 0.0.0.0
  1. Comment out this line by adding a # at the beginning of the line:
# bind-address = 0.0.0.0
  1. Save the changes and exit the file.
  2. Restart the MySQL service by running the following command:
sudo service mysql restart
  1. Exit the SSH session by running the following command:
exitWith these steps, you have successfully remediated the MySQL port being open on your GCP instance using GCP CLI.
To remediate the MySQL Port open misconfiguration in GCP using Python, you can follow the below steps:
  1. Import the necessary libraries:
from google.cloud import compute_v1
import google.auth
  1. Authenticate and create a client object:
creds, project = google.auth.default()
compute_client = compute_v1.ComputeClient(credentials=creds)
  1. Define the project and zone where the instance is located:
project = 'your-project-id'
zone = 'us-central1-a'
  1. Define the instance name and the network tag associated with the instance:
instance_name = 'your-instance-name'
network_tag = 'your-network-tag'
  1. Get the instance details using the get method:
instance = compute_client.instances().get(project=project, zone=zone, instance=instance_name).execute()
  1. Check if the MySQL port is open by looking at the instance’s network tags:
if network_tag in instance['tags']['items']:
    if '3306' in instance['metadata']['items'][0]['value']:
        print('MySQL port is open')
  1. If the MySQL port is open, remove it from the instance’s metadata:
metadata = instance['metadata']
items = metadata['items']
new_items = []
for item in items:
    if item['key'] == 'gce-container-declaration':
        container = json.loads(item['value'])
        ports = container['ports']
        new_ports = []
        for port in ports:
            if port['containerPort'] != 3306:
                new_ports.append(port)
        container['ports'] = new_ports
        item['value'] = json.dumps(container)
    new_items.append(item)
metadata['items'] = new_items
compute_client.instances().update(project=project, zone=zone, instance=instance_name, body={'metadata': metadata}).execute()
This will remove the MySQL port from the instance’s metadata, effectively closing the port.

Additional Reading: