Before an attacker discovers your cloud, be aware of the endpoints you have exposed to the internet.
Attackers constantly scan internet endpoints for susceptible services to access and breach. Once a public IP becomes active, keep in mind that attackers and different search engines starts to crawl it. It’s always a good idea to keep track of which endpoints on your cloud are accessible via the internet and audit those endpoints on a regular basis before a compromise becomes inevitable.
VPC services on GCP provide networking functionality to a variety of services such as VM/Kube services, CloudSQL, load balancers, and so on, which can be used to run services with attaching an external IP address to expose on the internet.
GCP helps with tracking/visibility with all lists of external addresses used on the project aligning with respective resources. Let’s see how we can leverage the available service and APIs for same to find the services the one which is exposed to the internet on the same.
With Navigation menu under “Networking” -> “VPC network” and choose “IP addresses”
We won't focus on reserved static addresses that aren't utilised by any resources; rather, we'll simply look through the list of "External IP addresses" used on the project that are accessible via the internet.
We will examine the ones used by instances and any other components, such as load balancers, Kube, or other services, regardless of the type “Static/Ephemeral”.
For access to the IP addresses service, having rights with “roles/compute.networkViewer” should be sufficient.
With the above image it’s crucial to concentrate on the addresses that are utilized by services. The phrase “None” in “In use by” refers to addresses that are reserved and not used by any components, but you still have to pay for them.
To compile a list of addresses for all projects or specific projects on a given platform, you can utilize the compute REST API.
You may use the python script from the following github repository to make things even easier; for more information on usage README.md
git clone https://github.com/smmadhu/gcp_external_ip_audit.gitClone the repo and execute it locally using google application default login “gcloud auth application-default login” reference or service account keys.
You can either use it to get the addresses for specific project or all projects within the org.
So we have got all external address used on projects whats next?
Once we have all the list of external IP address used on our GCP, scan for exposed ports on the internet and perform auditing for the reason on the exposed ports and endpoints. There might be a cases were sensitive services like ssh/sql ports could be opened by someone unintentionally. It’s good to know what ports are exposed and what service versions are running behind them to remideate known vulnerability on the services.
- Run a regular audit of used external IP addresses on projects.
- Scan open’ed ports on all external addresses and services to check if there are any vulnerability service versions are being used.
Note: For global load balancer address there would multiple open ports while being scanned, more details can be found here. - Perform Pentesting on the exposed services to find for any security vulnerability at application level as part of software development process.
- Avoid limiting the exposure of the services to the internet if they are not really intended to do so.
Note: With the gathered data above there would be addresses that are managed by google cloud itself like routers(used for cloud routers) and forwarding rules which contain esp/udp500/4500(used for VPN gateway addresses). These entries can be ignored for scanning.
By regularly monitoring and scanning exposed endpoints in our cloud environment, let’s make sure we aren’t the target of attacks.
Hope this was helpful…
