Check: ESXI-67-000022
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000022
(in versions v1 r3 through v1 r1)
Title
The ESXi host SSH daemon must be configured to not allow gateway ports. (Cat III impact)
Discussion
SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network Access Control Lists (ACLs). Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.
Check Content
From an SSH session connected to the ESXi host, or from the ESXi shell, run the following command: # grep -i "^GatewayPorts" /etc/ssh/sshd_config If there is no output or the output is not exactly "GatewayPorts no", this is a finding.
Fix Text
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": GatewayPorts no
Additional Identifiers
Rule ID: SV-239277r674760_rule
Vulnerability ID: V-239277
Group Title: SRG-OS-000480-VMM-002000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |