Disable external SSH on GCP while retaining the SSH web console
Posted on 2016/12/27
Immensely helpfull when dealing with networks that keep dropping packets and blocking any else than HTTP. I'm looking at you coffee shops ...
But coming from a security standpoint the first thing I tend to do on new projects is disabled any external ssh connections as that just reduces my attack vector substantially.
But after doing this you soon discover that you cannot connect to your VM's using the web-based SSH console anymore. Whelp ...
This does seem like a way to give you complete control over who can connect to your VM's but makes it a bit harder trying to setup authorised IP's.
For now (here's to hoping this just becomes a setting it the future) Google requires you to just allow their IP ranges.
You can find the IP ranges by querying the
22.214.171.124 DNS server provided by them for
TXT records using:
nslookup -q=TXT _spf.google.com 126.96.36.199
which should respond with something like:
Server: 188.8.131.52 Address: 184.108.40.206#53 Non-authoritative answer: _spf.google.com text = "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" ...
Where after you can query each one of the listed subdomains and get the IP's using:
nslookup -q=TXT _netblocks.google.com 220.127.116.11 nslookup -q=TXT _netblocks2.google.com 18.104.22.168 nslookup -q=TXT _netblocks3.google.com 22.214.171.124
which will give you a nice list of IP's that can be added to your firewall rules. For example
Server: 126.96.36.199 Address: 188.8.131.52#53 Non-authoritative answer: _netblocks.google.com text = "v=spf1 ip4:184.108.40.206/20 ip4:220.127.116.11/19 ip4:18.104.22.168/20 ip4:22.214.171.124/20 ip4:126.96.36.199/18 ip4:188.8.131.52/16 ip4:184.108.40.206/21 ip4:220.127.116.11/16 ip4:18.104.22.168/20 ip4:22.214.171.124/17 ip4:126.96.36.199/19 ip4:188.8.131.52/19 ~all" ...
You'll need to update your list every time the console stops working from the dashboard again. But you will be able to connect now.
What's currently keeping me busy
Testing and keeping websites safe
Tech/product of new incubating startups
Advocate and educate on the Google Cloud
Easy prescribed book management
Loadshedding being constantly updated and watched
Secret management for PAAS
National microchip database
Youtube channel of edited meetup talks
Gaming Youtube Channel