Navigate

Check: GEN005518

VMware ESX 3 Server: GEN005518 (in version v1 r2)

Title

The SSH client must be configured to not allow gateway ports. (Cat III impact)

Discussion

SSH TCP connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network ACLs. Gateway ports allow remote forwarded ports to bind to non-loopback addresses on the server.

Check Content

Check the SSH client configuration for the gateway ports setting. # grep -i GatewayPorts /etc/ssh/ssh_config | grep -v '^#' If no lines are returned or the returned setting has a value evaluating to yes, this is a finding.

Fix Text

Edit the SSH client configuration and change or add the GatewayPorts setting to no.

Additional Identifiers

Rule ID: SV-26760r1_rule

Vulnerability ID: V-22467

Group Title: GEN005518

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000032	Enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4(8)	Security and Privacy Policy Filters