Limiting access to ssh

[Matthew Lenz]

I'd like to limit access to ssh to GCE console (so the browser based SSH works) and to our own networks.   Is there a specific network mask I can use to allow connections from GCE console?

[Faizan (Google Cloud Support)]

Hello Matthew,

One way to limit the ssh access to your VM instances is through GCE network firewall rules. You can create a firewall rule with the source IP range to allow ssh access to your instances from those IPs.

I hope that helps.

Faizan

[Matthew Lenz]

Found some info in the docs about allowing access from the GDC.  It basically requires that you manually enter every known google IP block.  I'll be honest, that's a ridiculous proposition.

[Michael Prentice]

I'm also looking for a way to do this. We're seeing a lot of failed logins due to brute force password attacks on port 22 of our web servers.

I can't find a way to block certain IPs in the firewall rules, which is fairly unbelievable.

But as an alternative, I'd like to only open SSH to developer IPs and the Google Cloud Console. What IP range will cover this Google Cloud Console access?

[Karl MacMillan]

Another option is something like fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page). It's going to be per-host but potentially more flexible. 

--
© 2014 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/1d542d7d-3219-4d96-b794-596d0648f0f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Faizan (Google Cloud Support)]

Hello Michael,

Google Compute Engine firewall blocks all the traffic coming to the instance. You need to create firewall rules to allow incoming traffic. As such, you can create firewall rules with the know IPs (e.g. your developers) to limit the access.

For browser-based SSH sessions the source IP addresses are dynamically allocated by Cloud Platform Console and can vary from session to session. For the feature to work, you must allow connections either from any IP address or from Google's IP address range which you can retrieve using public SPF records.

I hope the helps.

Faizan

[Matthew Lenz]

This is still a VERY poor solution.   Google has zero excuse here.   You guys have full control over that firewall software.  Even the most basic firewalls allow you to create aliases.  Google could easily maintain aliases/tags for the various IP blocks to allow a customer to identify connections from GCP only.

[Faizan (Google Cloud Support)]

Hello Matthew,

I do agree having an option to allow the IP from GCP only is a useful feature. As such, can you please go ahead and file a feature request through GCE issue tracker. Once done let me know I'll go ahead and forward the request to our product engineering team.

Thanks

Faizan

[Matthew Lenz]

https://code.google.com/p/google-compute-engine/issues/detail?id=303

[Michael Prentice]

Thank you very much for opening that issue! This would be a great benefit to both usability and security for our applications!

On Friday, February 26, 2016 at 12:18:18 PM UTC-5, Matthew Lenz wrote:

https://code.google.com/p/google-compute-engine/issues/detail?id=303

[Krishnan Menon]

Any update from GCE engineers on this? This is a much needed functionality. 

Seeing a lot more attempts to access SSH. With passwordaccess disabled, they should not be able to log in. Still, with the number of attempts increasing, it is filling up the console unnecessarily and distracting from any other errors that we need to pay attention to. We even had one VM get into some state with ssh that we couldn't bring up another shell.

[Francisco Artes]

So I did this... but you aren't going to like the answer.

It's not too hard, you just have to edit the SSH rule and then of course limit the source IP addresses... except for one small detail, to continue allowing the GCE browser-based SSH you will need to add a massive block of IP addresses for all of GCE.  That is because the browser applet launches from their servers (not your workstation) and it is quite random within that range.  I finally opted to not do this because for me that was counter to my security concerns of restricting SSH.  E.g. anyone with a GCE account could still attempt to SSH into my machines via the GCE Web SSH UI.

Some report adding the following range will do it:  74.125.0.0/16  Some also report the more restrictive range of 74.125.47.0/24  Regardless, those are a lot of IPs and could be coming from anyone.  Up to you really.  

We just use the drop-down on the list of VM Instances (under connect) to view the gcloud command and then paste that into a terminal prompt (command window on PC) and presto we are SSH'ed into the servers assuming we are coming from one of the allowed IP Addresses. 

[Francisco Artes]

+1... seriously, he is totally correct. 

[Mark Patterson]

This should help those that want to remove the allow ALL SSH default firewall rule for security yet still be able to use the SSH features inside of the Google Cloud Console

https://github.com/MarkCloudWalker/gcp-enable-ssh


Aloha,
 --Mark

On Friday, August 21, 2015 at 11:35:13 AM UTC-5, Matthew Lenz wrote:

[Sean Erswell-Liljefelt]

On Friday, 21 August 2015 18:35:13 UTC+2, Matthew Lenz wrote:

I'd like to limit access to ssh to GCE console (so the browser based SSH works) and to our own networks.   Is there a specific network mask I can use to allow connections from GCE console?

I would also like to see a much more fleshed out solution around this. The potential IP range should be narrowed significantly at the very least!

 

[AsifT (Google Cloud Support)]

This feature request is under way; you can track the progress here: https://issuetracker.google.com/35904781