6.5.3 (L1) Host SSH daemon, if enabled, must not allow use of gateway ports

Information

When enabled, the SSH daemon on the host should have the gateway ports feature disabled to prevent remote hosts from forwarding connections. This is a hardening measure to ensure that the SSH service is securely configured against potential forwarding misuses.

Disabling gateway ports is a preventative measure to avoid unauthorized forwarding by remote hosts, thus enhancing the security posture of the system. It is a prudent step in minimizing the attack surface associated with SSH service.

Solution

Impact:

There are no noted functional impacts associated with this control. It is a proactive security measure designed to prevent potential misuse of SSH service forwarding capabilities, without affecting the normal operation of the host.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2, CSCv7|12.4

Plugin: Unix

Control ID: 71ef3ffdd4ee202d618b636f6955347bbd8072d5ac9307bdbcfe10dfdf80c805