More Info:

Determines if TCP port 22 for SSH is open to the public.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, PCIDSS, ISO27001, HIPAA, CISGCP, CBP, HITRUST, GDPR, NISTCSF, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the SSH port open misconfiguration in GCP using the GCP console, follow the below steps:
  1. Login to the GCP console (https://console.cloud.google.com/).
  2. Navigate to the Compute Engine section.
  3. Select the instance where the SSH port is open.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Firewall” section and click on “Management, security, disks, networking, sole tenancy”.
  6. Under the “Firewall” section, click on “Networking”.
  7. In the “Firewall rules” section, find the firewall rule that is allowing SSH access (usually named “default-allow-ssh”).
  8. Click on the checkbox next to the rule to select it.
  9. Click on the “Delete” button at the top of the page.
  10. Confirm the deletion by clicking on the “Delete” button in the confirmation dialog box.
Once the firewall rule allowing SSH access is deleted, the SSH port will no longer be open, and the misconfiguration will be remediated.

To remediate the SSH port open misconfiguration in GCP using GCP CLI, follow these steps:
  1. Open the GCP CLI and connect to your project.
  2. Run the following command to list all the instances in your project: 
    gcloud compute instances list
  3. Identify the instance for which you want to remediate the misconfiguration.
  4. Run the following command to get the details of the instance: 
    gcloud compute instances describe [INSTANCE_NAME]
    Replace [INSTANCE_NAME] with the name of your instance.
  5. Look for the metadata section in the output. If you see a ssh-keys entry, then SSH port is open. To remediate this, delete the ssh-keys entry.
  6. Run the following command to delete the ssh-keys entry: 
    gcloud compute instances remove-metadata [INSTANCE_NAME] --keys ssh-keys
    Replace [INSTANCE_NAME] with the name of your instance.
  7. Verify that the ssh-keys entry has been deleted by running the gcloud compute instances describe command again. 
    gcloud compute instances describe [INSTANCE_NAME]
    You should not see the ssh-keys entry in the output.
  8. Repeat steps 4-7 for all the instances in your project to ensure that SSH port is not open on any of them.
By following these steps, you can remediate the SSH port open misconfiguration in GCP using GCP CLI.
To remediate the SSH port being open misconfiguration in GCP using Python, you can follow these steps:
  1. Import the necessary libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
  1. Set up authentication credentials:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('compute', 'v1', credentials=credentials)
  1. Retrieve the project ID:
project = 'your-project-id'
  1. Retrieve the list of instances:
instances = service.instances().list(project=project, zone='us-central1-a').execute()
Note: Replace the zone with the appropriate zone for your instance.
  1. Loop through the instances and update the firewall rules to restrict SSH access:
for instance in instances['items']:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]
    firewall_name = 'ssh-' + instance_name
    firewall_body = {
        'allowed': [],
        'description': 'Restrict SSH access to specified IP ranges',
        'name': firewall_name,
        'network': 'default',
        'priority': 1000,
        'sourceRanges': [
            '0.0.0.0/0'
        ],
        'targetTags': [
            instance_name
        ]
    }
    firewall = service.firewalls().insert(project=project, body=firewall_body).execute()
    print('Firewall rule created for instance {}: {}'.format(instance_name, firewall['id']))
Note: This code creates a new firewall rule for each instance to restrict SSH access to specified IP ranges. You can modify the sourceRanges parameter to specify the IP ranges that should be allowed to access SSH.
  1. Remove the existing firewall rule that allows SSH access:
firewall_name = 'default-allow-ssh'
firewall = service.firewalls().delete(project=project, firewall=firewall_name).execute()
print('Firewall rule deleted: {}'.format(firewall_name))
Note: This code removes the default firewall rule that allows SSH access from any IP address.
  1. Verify that the firewall rules have been updated:
firewalls = service.firewalls().list(project=project).execute()
for firewall in firewalls['items']:
    print(firewall['name'], firewall['sourceRanges'])
Note: This code lists all the firewall rules in the project and their associated source IP ranges. You should see that the new firewall rules restrict SSH access to specified IP ranges.

Additional Reading: