Whenever you create a project in GCP there is a default firewall-rule called: "default-allow-ssh", which allows 0.0.0.0/0 on port 22, which makes it easy to ssh into the machines with external ip from the browser. But that allows any machine from the internet to access my machine on port 22, and bots are constantly trying to access whatever they can find. I suppose they would still need to crack the password or ssh-key or something, but isn't that a very dangerous default setup rule? There are not really any warnings when you spin up a new machine with external-ip, and I was expecting GCP to have a more restricted approach. If anyone can help me clarify this, it would be much appreciated. And if I remove this default rule and still want to access my machines through ssh, which approach would be simple and secure?
Without this rule, when you try to SSH in using the gcloud command-line tool, the request would be immediately rejected, so AFAIK, the Compute Engine's choice here was optimized toward ease of getting started with GCE.
I also think that password authentication is disabled by default, so any attacker has two avenues of entry:
I think the first is pretty far fetched given today's technology. If this were sufficiently easy, we'd have much bigger problems in the world.
The second seems like something to worry about if you didn't have automatic security patches deployed by Google Cloud Platform on a regular basis. Yes, this is still vulnerable to 0-day exploits, but given that Google's security team were the ones who discovered several of the recent security vulnerabilities in popular projects (e.g., I'm pretty sure that Heartbleed was discovered, patched, and disclosed by Google), it's pretty likely that if there were a security bug in the SSH agent used by all of GCE VMs, Google would get it patched faster than anyone else would.
That said, if you really don't like this rule, I'm pretty sure you can go in and change the rule's definition so that it only allows some specific list of IPs or subnets by default for all of your VMs.