Disable external SSH on GCP while retaining the SSH web console
Posted on 2016/12/27
The SSH in Browser from Google Cloud is quite a useful feature allows you to connect to connect to your virtual machines over SSH directly from their online dashboard.
Immensely helpfull when dealing with networks that keep dropping packets and blocking any else than HTTP. I'm looking at you coffee shops ...
But coming from a security standpoint the first thing I tend to do on new projects is disabled any external ssh connections as that just reduces my attack vector substantially.
But after doing this you soon discover that you cannot connect to your VM's using the web-based SSH console anymore. Whelp ...
This does seem like a way to give you complete control over who can connect to your VM's but makes it a bit harder trying to setup authorised IP's.
For now (here's to hoping this just becomes a setting it the future) Google requires you to just allow their IP ranges.
You can find the IP ranges by querying the
184.108.40.206 DNS server provided by them for
TXT records using:
nslookup -q=TXT _spf.google.com 220.127.116.11
which should respond with something like:
Server: 18.104.22.168 Address: 22.214.171.124#53 Non-authoritative answer: _spf.google.com text = "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" ...
Where after you can query each one of the listed subdomains and get the IP's using:
nslookup -q=TXT _netblocks.google.com 126.96.36.199 nslookup -q=TXT _netblocks2.google.com 188.8.131.52 nslookup -q=TXT _netblocks3.google.com 184.108.40.206
which will give you a nice list of IP's that can be added to your firewall rules. For example
Server: 220.127.116.11 Address: 18.104.22.168#53 Non-authoritative answer: _netblocks.google.com text = "v=spf1 ip4:22.214.171.124/20 ip4:126.96.36.199/19 ip4:188.8.131.52/20 ip4:184.108.40.206/20 ip4:220.127.116.11/18 ip4:18.104.22.168/16 ip4:22.214.171.124/21 ip4:126.96.36.199/16 ip4:188.8.131.52/20 ip4:184.108.40.206/17 ip4:220.127.116.11/19 ip4:18.104.22.168/19 ~all" ...
You'll need to update your list every time the console stops working from the dashboard again. But you will be able to connect now.
What's currently keeping me busy
Testing and keeping websites safe
Tech/product of new incubating startups
Advocate and educate on the Google Cloud
Easy prescribed book management
Loadshedding being constantly updated and watched
Secret management for PAAS
National microchip database
Youtube channel of edited meetup talks
Gaming Youtube Channel