View the security misconfiguration catalog
  • Misconfiguration Name
  • SSH port forwarding option is not disabled
  • Description
  • SSH (Secure Shell) protocol utilizes port 22, by default, to establish secure connections between servers and clients. SSH port forwarding is a mechanism in SSH for routing the communications arriving at SSH port 22 to other application ports. Leaving port forwarding enabled can expose the organization to security risks and back-doors. SSH connections are protected with strong encryption. This makes their contents invisible to most deployed network monitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for malicious purposes. Fixing this misconfiguration will disable AllowTcpForwarding parameter in SSH to prevent port forwarding.
  • Severity
  • important
  • Category
  • Linux Secure Shell
  • Resolution
  • Follow the below steps to resolve the misconfiguration. Edit the /etc/ssh/sshd_config file to set the parameter as follows:
    AllowTcpForwarding no
  • Potential issues that may arise after applying the resolution
  • Altering the existing security setting may create the following impact in your network operations. This would impact the applications and processes that utilizes port forwarding.
  • Does remediation require reboot?
  • No