Rule ID
SV-258763r933350_rule
Version
V1R1
CCIs
CCI-000366
SSH Transmission Control Protocol (TCP) connection forwarding provides a mechanism to establish TCP connections proxied by the SSH server. This function can provide convenience similar to a virtual private network (VPN) with the similar risk of providing a path to circumvent firewalls and network Access Control Lists (ACLs). Gateway ports allow remote forwarded ports to bind to nonloopback addresses on the server.
From an ESXi shell, run the following command:
# esxcli system ssh server config list -k gatewayports
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$esxcli.system.ssh.server.config.list.invoke() | Where-Object {$_.Key -eq 'gatewayports'}
Example result:
gatewayports no
If "gatewayports" is not configured to "no", this is a finding.From an ESXi shell, run the following command: # esxcli system ssh server config set -k gatewayports -v no or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.ssh.server.config.set.CreateArgs() $arguments.keyword = 'gatewayports' $arguments.value = 'no' $esxcli.system.ssh.server.config.set.Invoke($arguments)