The AIX SSH daemon must be configured for IP filtering.

An XCCDF Rule

Description

<VulnDiscussion>The SSH daemon must be configured for IP filtering to provide a layered defense against connection attempts from unauthorized addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-215295r508663_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

Add appropriate IP restrictions for SSH to the "/etc/hosts.deny" and/or "/etc/hosts.allow" files. 

TCP Wrappers can be installed from the AIX Expansion Pack by installing fileset "netsec.options.tcpwrappers" using the following command (assume AIX Expansion Pack is mounted on /dev/cd0):
# installp -aXYgd /dev/cd0 -e /tmp/install.log netsec.options.tcpwrappers

The AIX SSH daemon must be configured for IP filtering.

Description

Remediation - Manual Procedure