Disable SSH TCP Forwarding
An XCCDF Rule
Description
The AllowTcpForwarding
parameter specifies whether TCP forwarding is permitted.
To disable TCP forwarding, add or correct the following line in
/etc/ssh/sshd_config
:
AllowTcpForwarding no
Rationale
Leaving port forwarding enabled can expose the organization to security risks and back-doors.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Disable SSH TCP Forwarding
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd_config
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config"