Get Started With Firewalls On Google Cloud Platform In Minutes
The fight for the cloud started 10 years ago, many tried to get a spot among the giants, few succeded. No one managed to challenge the giants though, Amazon, Google and Microsoft are the clear winners with AWS, Google Cloud and Azure.
So you have a cloud server for one of your projects and you want to enable let’s say ssh or ftp. You have installed the necessary packages put when you try to connect you can’t. Connection dropped. What happened?
The default rules for the firewall on the cloud are pretty strict, as they should be. Nothing should be open if it hasn’t been explicitely marked as allowed. In security always have a whitelist, never a blacklist. Block everything unknown unless it’s needed.
For this example we’ll enable SSH. It runs by default on port 22, you should CHANGE THIS. Why, you ask. If that’s the default port that’s where it should run. No. Everyone knows that 22 is the default port so attackers are going to try to scan ip ranges and check if the port 22 is reachable, if it is (and you’re using username/password without rate limiting) you’re basically screwed.
Fortunately for you it is possible to map the SSH daemon to a different port let’s say 1599 (don’t actually use this port, choose a random one that is not used by another daemon).
You need to enable traffic though that port both on the OS level and on the cloud platform level.
Google firewall
To let it through the google firewall you need to go to Instance Groups and than to Firewall. From there add a rule to port 1599 (change it to your port) and always allow connections.
OS firewall
For the purpose of this tutorial I’m assuming you’re running a Linux server (if you’re not, you can always switch to one ;) ). IPTABLES is the command you need. You need to tell it to allow traffic throught the port 1599, as you did with Google.
Done that you should also disallow root login from the configuration of your SSH daemon and disallow password login.
The only safe login method is using RSA.
SSH Key
To connect you’d need to generate a key on each machine you use to connect to the server, I’m assuming for sake of simplicity that it’s one. If it’s not you just need to repeat this part for each different machine.
Navigate to the `.ssh` folder. For Linux: `cd /root/.ssh`. For Mac: `cd /Users/USERNAME/.ssh/`. If these folders don’t exist create them using `mkdir`.
Open a terminal and type `ssh-keygen -T rsa`
- Press enter for the names (you can choose what you want, i’m gonna keep id_rsa)
- Pick a random strong password and save it in your password manager
- Save the output as a note in such password manager
- Open the id_rsa.pub and copy the public key.
This will be your public identity, the private key will prove that you are who you say you are. Always keep your private key a secret!
Navigate to authorized_keys and in a newline paste the public key of the machine you want to allow.
Connect
Try connecting from your device to the server using `ssh -p 1599 username@192.168.1.1`
1599 -> port
username -> username of the account you want to login to (hope you didn’t forget to turn off root login)
192.168.1.1 -> ip address or domain name of the server
Takeaways
You need to start to think about security from the get go and never get comfortable.
About Me
I’m Valentino Urbano, an iOS Developer from Milan, Italy. My clients include Volkswagen, Moncler, PMI and Banca Intesa. You can find me on twitter or on my website.
