Navigate

Check: GEN005517

VMware ESX 3 Server: GEN005517 (in version v1 r2)

Title

The SSH daemon must be configured to not allow gateway ports. (Cat III impact)

Discussion

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.

Check Content

Check the SSH daemon configuration for the gateway ports setting. # grep -i GatewayPorts /etc/ssh/sshd_config | grep -v '^#' If no lines are returned or the returned setting has a value evaluating to yes, this is a finding.

Fix Text

Edit the SSH daemon configuration and change or add the GatewayPorts setting to no.

Additional Identifiers

Rule ID: SV-26759r1_rule

Vulnerability ID: V-22466

Group Title: GEN005517

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000032	The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4 (8)	Security Policy Filters