GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
VNC Server Port Should Not Be Open
More Info:
Determines if TCP port 5900 for VNC Server is open to the public. While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Server should be restricted to known IP addresses.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of VNC Server Port being open in GCP using the GCP console, follow the below steps:
-
Login to the GCP Console.
-
Navigate to the Compute Engine section.
-
Select the VM instance that has the open VNC server port.
-
Click on the “Edit” button at the top of the page.
-
Scroll down to the “Firewall” section.
-
In the “Firewall” section, uncheck the “Allow HTTP traffic” and “Allow HTTPS traffic” options.
-
Scroll down to the “Cloud API access scopes” section.
-
In the “Cloud API access scopes” section, uncheck the “Allow default access” option.
-
Click on the “Save” button to apply the changes.
-
Verify that the VNC server port is no longer open by running a port scan on the VM instance.
-
If the VNC server port is still open, repeat the above steps and check for any misconfiguration or errors.
By following these steps, the misconfiguration of the VNC server port being open in GCP using the GCP console can be remediated.
To remediate the misconfiguration of having the VNC server port open on a GCP instance, you can follow the below steps using GCP CLI:
-
Open the Cloud Shell in the GCP Console.
-
Identify the instance that has the VNC server port open. You can use the following command to list all instances in your project:
gcloud compute instances list -
Once you have identified the instance, connect to it using SSH. You can use the following command to connect to the instance:
gcloud compute ssh [INSTANCE_NAME] -
Once you are connected to the instance, you need to find the VNC server process ID. You can use the following command to find the process ID:
ps -ef | grep Xtightvnc -
Once you have found the process ID, you can use the following command to kill the process:
sudo kill [PROCESS_ID] -
Next, you need to disable the VNC server from starting automatically on boot. You can use the following command to remove the VNC server startup script:
sudo rm /etc/systemd/system/[email protected] -
Finally, you need to ensure that the VNC server port is closed in the firewall. You can use the following command to remove the firewall rule that allows access to the VNC server port:
gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that allows access to the VNC server port.
After completing these steps, you will have successfully remediated the misconfiguration of having the VNC server port open on the GCP instance.
To remediate the misconfiguration of VNC Server Port being open in GCP using Python, you can follow the below steps:
-
First, you need to authenticate and authorize the GCP account using the Google Cloud SDK. You can do this by running the following command in the terminal:
gcloud auth login -
Next, you need to install the Python client library for GCP. You can do this by running the following command in the terminal:
pip install google-cloud-storage -
Once the library is installed, you can create a Python script to remediate the misconfiguration. The script should perform the following steps:
a. Get a list of all the instances running in the GCP project using the Compute Engine API.
b. For each instance, check if the VNC server port is open. You can do this by using the
googleapiclient.discoverylibrary to make a request to the Compute Engine API.c. If the VNC server port is open, use the
googleapiclient.discoverylibrary to make a request to the Compute Engine API to update the firewall rule and close the port. -
Here is a sample Python script that you can use to remediate the misconfiguration:
from googleapiclient import discovery from oauth2client.client import GoogleCredentials credentials = GoogleCredentials.get_application_default() compute = discovery.build('compute', 'v1', credentials=credentials) project = 'your-project-id' def list_instances(compute, project): result = compute.instances().list(project=project).execute() return result['items'] if 'items' in result else None instances = list_instances(compute, project) for instance in instances: for network_interface in instance['networkInterfaces']: for access_config in network_interface['accessConfigs']: if 'natIP' in access_config: instance_ip = access_config['natIP'] firewall_rules = compute.firewalls().list(project=project).execute() for firewall_rule in firewall_rules['items']: if firewall_rule['name'] == 'vnc-server': if 'allowed' in firewall_rule and 'ports' in firewall_rule['allowed'][0]: if '5900' in firewall_rule['allowed'][0]['ports']: compute.firewalls().update(project=project, firewall=firewall_rule['name'], body={ "name": "vnc-server", "allowed": [ { "IPProtocol": "tcp", "ports": [] } ], "sourceRanges": [ "0.0.0.0/0" ], "targetTags": [ "vnc-server" ] }).execute()Note: Replace
your-project-idwith the actual project ID. -
Save the script and run it in the terminal using the following command:
python script_name.pyThis will remediate the misconfiguration by closing the VNC server port in all the instances running in the GCP project.