SSH forwarding can enhance security by encrypting traffic (X11, agent, or port forwarding), but it also poses risks if misused. Attackers with access to a compromised system can pivot to other machines, potentially escalating privileges or stealing credentials.
PoC代码[已公开]
id: file-disable-ssh-forwarding
info:
name: Disable SSH Forwarding
author: pussycat0x
severity: unknown
description: |
SSH forwarding can enhance security by encrypting traffic (X11, agent, or port forwarding), but it also poses risks if misused. Attackers with access to a compromised system can pivot to other machines, potentially escalating privileges or stealing credentials.
remediation: |
Set X11Forwarding no and AllowTcpForwarding no in /etc/ssh/sshd_config to disable SSH forwarding and restart the SSH service.
reference:
- https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f
metadata:
verified: true
tags: audit,config,file,ssh
file:
- extensions:
- all
matchers:
- type: word
words:
- "AllowTcpForwarding yes"
- "X11Forwarding yes"
condition: or
# digest: 4a0a00473045022100b5d591ec36d5a157ed75093a528e2f566c9369fed97e6634d5f2432384feb55d022050d1fee27508ea7f4caf0a2778435d0a27bcab9707d5abfd8c9eb2f13de77c8c:922c64590222798bb761d5b6d8e72950