Skip to content

Instantly share code, notes, and snippets.

@kholisrag

kholisrag/check.sh

Last active July 4, 2024 05:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kholisrag/c63bdfe7b89616d1ce6f9ca5cedc2e9c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kholisrag/c63bdfe7b89616d1ce6f9ca5cedc2e9c to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. kholisrag revised this gist Jul 4, 2024. 1 changed file with 24 additions and 15 deletions.
    39 changes: 24 additions & 15 deletions check.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -12,21 +12,30 @@ for project in $projects; do
    fi

    # Fetch and filter firewall rules (including network)
    allowed_rules=$(gcloud compute firewall-rules list \
    --project "$project" \
    --format="value(name,network,disabled,allowed[].ports[],allowed[].IPProtocol[])" \
    | while read -r name network disabled ports protocol; do
    if [[ "$disabled" == "False" ]] && [[ "$ports" == "['22']" ]] && [[ "$protocol" == "tcp" ]]; then
    IFS=',' read -ra source_ranges <<< "$(gcloud compute firewall-rules describe "$name" --project "$project" --format="value(sourceRanges)")"
    for source_range in "${source_ranges[@]}"; do
    if [[ "$source_range" == "0.0.0.0/0" ]]; then
    echo "$name (Network: $network)"
    break
    fi
    done
    fi
    done)
    allowed_rules=$(\
    gcloud compute firewall-rules list \
    --project "$project" \
    --format="value(name,network,disabled,allowed[].ports[],allowed[].IPProtocol[])" \
    | \
    while read -r name network disabled ports protocol; do
    # Skip if the rule is disabled or not TCP protocol
    if [[ "$disabled" == "True" ]] || [[ "$protocol" != "tcp" ]]; then
    continue
    fi
    # Check if port 22 is in the list of allowed ports
    if [[ "$ports" == *22* ]]; then
    IFS=',' read -ra source_ranges <<< "$(gcloud compute firewall-rules describe "$name" --project "$project" --format="value(sourceRanges)")"
    for source_range in "${source_ranges[@]}"; do
    if [[ "$source_range" == "0.0.0.0/0" ]]; then
    echo "$name (Network: $network)"
    break
    fi
    done
    fi
    done
    )

    if [ -n "$allowed_rules" ]; then
    echo "Project $project has the following firewall rules allowing SSH (port 22) from the Internet (0.0.0.0/0):"
  2. kholisrag revised this gist Jul 4, 2024. No changes.
  3. kholisrag revised this gist Jul 4, 2024. 1 changed file with 14 additions and 7 deletions.
    21 changes: 14 additions & 7 deletions check.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -12,15 +12,22 @@ for project in $projects; do
    fi

    # Fetch and filter firewall rules (including network)
    allowed_rules=$(gcloud compute firewall-rules list --project "$project" --format="value(name,network,disabled)" | while read -r name network disabled; do
    if [[ "$disabled" == "False" ]]; then
    rule_details=$(gcloud compute firewall-rules describe "$name" --project "$project" --format="value(allowed[0].ports,sourceRanges)")
    if echo "$rule_details" | grep -q "22" | grep -q "0.0.0.0/0"; then
    echo "$name (Network: $network)"
    allowed_rules=$(gcloud compute firewall-rules list \
    --project "$project" \
    --format="value(name,network,disabled,allowed[].ports[],allowed[].IPProtocol[])" \
    | while read -r name network disabled ports protocol; do
    if [[ "$disabled" == "False" ]] && [[ "$ports" == "['22']" ]] && [[ "$protocol" == "tcp" ]]; then
    IFS=',' read -ra source_ranges <<< "$(gcloud compute firewall-rules describe "$name" --project "$project" --format="value(sourceRanges)")"
    for source_range in "${source_ranges[@]}"; do
    if [[ "$source_range" == "0.0.0.0/0" ]]; then
    echo "$name (Network: $network)"
    break
    fi
    done
    fi
    done)
    if [ -n "$allowed_rules" ]; then
    echo "Project $project has the following firewall rules allowing SSH (port 22) from the Internet (0.0.0.0/0):"
    echo "$allowed_rules"
    @@ -29,4 +36,4 @@ for project in $projects; do
    fi
    echo "--------------------"
    done
    done
  4. kholisrag created this gist Jul 4, 2024.
    32 changes: 32 additions & 0 deletions check.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,32 @@
    #!/bin/bash

    projects=$(gcloud projects list --format="value(projectId)")

    for project in $projects; do
    echo "Checking project: $project"

    if ! gcloud services list --project "$project" --enabled | grep -q compute.googleapis.com; then
    echo "Compute Engine API not enabled for $project. Skipping..."
    echo "--------------------"
    continue
    fi

    # Fetch and filter firewall rules (including network)
    allowed_rules=$(gcloud compute firewall-rules list --project "$project" --format="value(name,network,disabled)" | while read -r name network disabled; do
    if [[ "$disabled" == "False" ]]; then
    rule_details=$(gcloud compute firewall-rules describe "$name" --project "$project" --format="value(allowed[0].ports,sourceRanges)")
    if echo "$rule_details" | grep -q "22" | grep -q "0.0.0.0/0"; then
    echo "$name (Network: $network)"
    fi
    fi
    done)
    if [ -n "$allowed_rules" ]; then
    echo "Project $project has the following firewall rules allowing SSH (port 22) from the Internet (0.0.0.0/0):"
    echo "$allowed_rules"
    else
    echo "Project $project has no enabled firewall rules allowing SSH from the Internet."
    fi
    echo "--------------------"
    done