ESXI-67-000025 – The ESXi host SSH daemon must not permit tunnels.

Details

OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide similar convenience to a Virtual Private Network (VPN) with the similar risk of providing a path to circumvent firewalls and network Access Control Lists (ACLs).

Solution

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in ‘/etc/ssh/sshd_config’:

PermitTunnel no

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

800-53|CM-6b.
CAT|II
CCI|CCI-000366
Rule-ID|SV-239280r674769_rule
STIG-ID|ESXI-67-000025
STIG-Legacy|SV-104083
STIG-Legacy|V-93997
Vuln-ID|V-239280

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles