iCompaas Support

Profile Applicability:
 • Level 1

Description:
 The DisableForwarding option in the SSH daemon configuration disables all port forwarding (including TCP, X11, and agent forwarding). Enabling this option reduces the risk of unauthorized network traffic tunneling through SSH connections.

Rationale:
 Disabling forwarding limits the attack surface by preventing potential misuse of SSH tunnels for unauthorized data exfiltration or network access.

Impact:
 Pros:

• Enhances SSH security by restricting port forwarding.
  
  

• Helps prevent misuse of SSH tunnels.
  
  

Cons:

• May disrupt legitimate use cases that require port forwarding.
  
  

Default Value:
 By default, forwarding options may be enabled unless explicitly disabled.

Pre-requisites:

• Root or sudo privileges to modify SSH daemon configuration.
  
  

Remediation:

Test Plan:

Using Linux command line:

Check the current forwarding settings in /etc/ssh/sshd_config:

grep -i Forwarding /etc/ssh/sshd_config

1. Verify that port forwarding options are disabled.
   
   

Implementation Plan:

Using Linux command line:

Edit 

/etc/ssh/sshd_config:
vi /etc/ssh/sshd_config

Add or update the following directives to disable forwarding:

AllowTcpForwarding no  

X11Forwarding no  

PermitTunnel no  

AllowAgentForwarding no

Save the file and restart sshd:
systemctl restart sshd

Verify the configuration:

grep -i Forwarding /etc/ssh/sshd_config

Backout Plan:

Using Linux command line:

1. Re-enable forwarding options if necessary by setting them to yes.
   
   

2. Restart sshd and verify functionality.

References:

• NIST SP 800-53 Revision 5 - SC-7