GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
SQL Server Port Should Not Be Open
More Info:
Determines if TCP port 1433 or UDP port 1434 for SQL Server is open to the public.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, GDPR, HIPAA, HITRUST, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the SQL Server Port Should Not Be Open misconfiguration in GCP using GCP console, follow these steps:
- Go to the GCP console and select the project where the misconfiguration exists.
- Navigate to the VPC network page and select the VPC network where the SQL Server instance is running.
- Select the Firewall rules tab.
- Identify the firewall rule that allows access to the SQL Server port (default port is 1433).
- Click on the Edit button to modify the firewall rule.
- In the Source filter section, select the IP ranges that are allowed to access the SQL Server port.
- If the SQL Server instance is only accessed from within the VPC network, select the VPC network as the source filter.
- If the SQL Server instance is accessed from outside the VPC network, select the appropriate IP ranges for the source filter.
- Save the changes to the firewall rule.
By following these steps, you have successfully remediated the SQL Server Port Should Not Be Open misconfiguration in GCP using GCP console.
To remediate an SQL Server port being open in GCP using GCP CLI, follow these steps:
-
Open the Google Cloud Console and navigate to the Compute Engine page.
-
Identify the instance with the open SQL Server port.
-
Connect to the instance using SSH.
-
Run the following command to list the firewall rules:
gcloud compute firewall-rules list -
Identify the firewall rule that allows the SQL Server port to be open.
-
Run the following command to delete the firewall rule:
gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]Replace
[FIREWALL_RULE_NAME]with the name of the firewall rule that allows the SQL Server port to be open. -
Verify that the firewall rule has been deleted by running the following command:
gcloud compute firewall-rules listThe output should not include the firewall rule that allowed the SQL Server port to be open.
-
Once the firewall rule has been deleted, the SQL Server port will no longer be open. You can verify this by attempting to connect to the SQL Server port from a remote machine.
To remediate the SQL Server Port Should Not Be Open misconfiguration in GCP using Python, you can follow these steps:
-
Connect to the Google Cloud Platform using the Google Cloud SDK.
-
Use the Google Cloud Python client library to create a firewall rule that blocks all incoming traffic to the SQL Server port. Here’s an example code snippet to create a firewall rule:
from google.cloud import compute_v1
# Set the project ID and region
project_id = 'your-project-id'
region = 'your-region'
# Create the firewall rule
client = compute_v1.FirewallsClient()
firewall_rule_body = {
"name": "block-sql-server-port",
"network": f"projects/{project_id}/global/networks/default",
"direction": "INGRESS",
"priority": 1000,
"action": "deny",
"rules": [
{
"protocol": "tcp",
"ports": ["1433"]
}
],
"target_tags": ["sql-server"]
}
response = client.insert(project=project_id, firewall_resource=firewall_rule_body)
In the above code snippet, replace your-project-id and your-region with your actual project ID and region. The target_tags field specifies the tags of the resources that should be blocked from accessing the SQL Server port.
- Apply the
sql-servertag to all the instances that are running SQL Server.
from google.cloud import compute_v1
# Set the project ID and region
project_id = 'your-project-id'
region = 'your-region'
# Set the instance name
instance_name = 'your-instance-name'
# Set the tags
tags = ["sql-server"]
# Update the tags for the instance
client = compute_v1.InstancesClient()
instance = client.get(project=project_id, zone=region + '-a', instance=instance_name)
instance.tags = tags
client.update(project=project_id, zone=region + '-a', instance=instance_name, instance_resource=instance)
In the above code snippet, replace your-project-id, your-region, and your-instance-name with your actual project ID, region, and instance name. The tags field specifies the tags that should be applied to the instance.
- Verify that the firewall rule is working as expected by attempting to connect to the SQL Server port from a remote machine. The connection should be blocked.
These steps should remediate the SQL Server Port Should Not Be Open misconfiguration in GCP using Python.