Disable SSH Forwarding

ID: file-disable-ssh-forwarding

Severity: unknown

Author: pussycat0x

Tags: audit,config,file,ssh

Description

SSH forwarding can enhance security by encrypting traffic (X11, agent, or port forwarding), but it also poses risks if misused. Attackers with access to a compromised system can pivot to other machines, potentially escalating privileges or stealing credentials.

YAML Source

id: file-disable-ssh-forwarding

info:
  name: Disable SSH Forwarding
  author: pussycat0x
  severity: unknown
  description: |
    SSH forwarding can enhance security by encrypting traffic (X11, agent, or port forwarding), but it also poses risks if misused. Attackers with access to a compromised system can pivot to other machines, potentially escalating privileges or stealing credentials.
  remediation: |
    Set X11Forwarding no and AllowTcpForwarding no in /etc/ssh/sshd_config to disable SSH forwarding and restart the SSH service.
  reference:
    - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
  metadata:
    verified: true
  tags: audit,config,file,ssh

file:
  - extensions:
      - all

    matchers:
      - type: word
        words:
          - "AllowTcpForwarding yes"
          - "X11Forwarding yes"
        condition: or
# digest: 4a0a00473045022100b5d591ec36d5a157ed75093a528e2f566c9369fed97e6634d5f2432384feb55d022050d1fee27508ea7f4caf0a2778435d0a27bcab9707d5abfd8c9eb2f13de77c8c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "file/audit/ssh/file-disable-ssh-forwarding.yaml"

View on Github