mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-07 11:13:20 +08:00
101 lines
2.9 KiB
YAML
101 lines
2.9 KiB
YAML
id: gcloud-unrestricted-ssh-access
|
|
|
|
info:
|
|
name: Check for Unrestricted SSH Access
|
|
author: princechaddha
|
|
severity: critical
|
|
description: |
|
|
Ensure that your Google Cloud VPC firewall rules do not allow unrestricted SSH access (0.0.0.0/0 on TCP port 22). Restrict SSH access to trusted IP addresses or ranges to reduce the attack surface and adhere to the principle of least privilege.
|
|
impact: |
|
|
Allowing unrestricted SSH access exposes your infrastructure to potential brute-force attacks or unauthorized access.
|
|
remediation: |
|
|
Update your VPC firewall rules to allow SSH traffic only from trusted IP addresses or ranges.
|
|
reference:
|
|
- https://cloud.google.com/vpc/docs/firewalls
|
|
tags: cloud,devops,gcp,gcloud,vpc,firewall,security,ssh,gcp-cloud-config
|
|
|
|
flow: |
|
|
code(1)
|
|
for(let projectId of iterate(template.projectIds)){
|
|
set("projectId", projectId)
|
|
code(2)
|
|
for(let networkName of iterate(template.networks)){
|
|
set("networkName", networkName)
|
|
code(3)
|
|
javascript(1)
|
|
}
|
|
}
|
|
|
|
self-contained: true
|
|
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
gcloud projects list --format="json(projectId)"
|
|
|
|
extractors:
|
|
- type: json
|
|
name: projectIds
|
|
internal: true
|
|
json:
|
|
- '.[].projectId'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
gcloud compute networks list --project $projectId --format="json(name)"
|
|
|
|
extractors:
|
|
- type: json
|
|
name: networks
|
|
internal: true
|
|
json:
|
|
- '.[].name'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
gcloud compute firewall-rules list --filter network=$networkName --sort-by priority --format="json(name,disabled,direction,sourceRanges,allowed[].ports)"
|
|
|
|
extractors:
|
|
- type: json
|
|
name: firewallRules
|
|
internal: true
|
|
json:
|
|
- '.[]'
|
|
|
|
javascript:
|
|
- code: |
|
|
let firewallRules = template.firewallRules;
|
|
|
|
if (typeof firewallRules === "string") {
|
|
firewallRules = JSON.parse(firewallRules);
|
|
}
|
|
|
|
let insecureRules = [];
|
|
for (let rule of firewallRules) {
|
|
if (
|
|
rule.disabled === false &&
|
|
rule.direction === "INGRESS" &&
|
|
Array.isArray(rule.sourceRanges) && rule.sourceRanges.includes("0.0.0.0/0") &&
|
|
Array.isArray(rule.allowed) && rule.allowed.some(allowed =>
|
|
Array.isArray(allowed.ports) && allowed.ports.includes("22")
|
|
)
|
|
) {
|
|
insecureRules.push(rule.name);
|
|
}
|
|
}
|
|
|
|
if (insecureRules.length > 0) {
|
|
Export(`The firewall rules in network ${template.networkName} of project ${template.projectId} allow unrestricted SSH access: ${insecureRules.join(", ")}`);
|
|
}
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- response
|
|
# digest: 4a0a00473045022100ae76292b65867cbae75a860bb9fe3b7ea51d83dfc2de5a2a0d6e34d48adf3447022061bcb759bd6b54ab8dc1ebb27c918227f82000aaeca6c4ace2cbad063869f0ff:922c64590222798bb761d5b6d8e72950 |