Other Articles
- Servers – Disable UDF Filesystem
- Servers – Configure /tmp Partition
- Servers – Configure /home Partition
- Servers – Configure /var Partition
- Servers – Configure Shm Partition
- Servers – Enable dm-verity
- Servers – Enforce Authentication for Single User Mode
- Servers – Restrict Core Dump Generation
- Servers – Enable NX Protection
- Servers – Enable Address Space Layout Randomization (ASLR)
- Servers – Configure Message of the Day (MOTD)
- Servers – Configure Local Login Banner
- Servers – Configure Remote Login Banner
- Servers – Configure Message of the Day (MOTD) Permissions
- Servers – Configure Issue Permissions
- Servers – Configure Password Permissions
- Servers – Configure Group Backup Permissions
- Servers – Configure Group Permissions
- Servers – Configure Gshadow Backup Permissions
- Servers – Configure Gshadow Permissions
- Servers – Configure Passwd Backup Permissions
- Servers – Configure Shadow Backup Permissions
- Servers – Configure Shadow Permissions
- Servers – Ensure All Users' Home Directories Exist
- Servers – Ensure No Users Have .forward Files
- Servers – Ensure No Users Have .netrc Files
- Servers – Ensure No Users Have .rhosts Files
- Servers – Ensure Root is the Only UID 0 Account
- Servers – Ensure Root PATH Integrity
- Servers – Remove Legacy '+' Entries from Group
- Servers – Remove Legacy '+' Entries from Passwd
- Servers – Remove Legacy '+' Entries from Shadow
- Servers – Restrict Access to .netrc Files
- Servers – Secure System Accounts
- Servers – Ensure Users' Home Directory Permissions are 750 or More Restrictive
- Servers – Ensure Users Own Their Home Directories
- Servers – Verify Security Of Dot Files
- Servers – Verify Existence of passwd Groups
- Servers – Ensure No Duplicate UIDs Exist
- Servers – Ensure No Duplicate GIDs Exist
- Servers – Ensure No Duplicate User Names Exist
- Servers – Ensure No Duplicate Group Names Exist
- Servers – Ensure Shadow Group Has No Members
- Servers – Ensure Logging is Configured
- Servers – Ensure Journald Compression is Configured
- Servers – Ensure Journald Storage is Configured to Persistent Disk
- Servers – Ensure Permissions on All Logfiles are Configured
- Servers – Verify Time Synchronization with Chrony
- Servers – Ensure Chrony is Configured
- Servers – Ensure X Window System is Not Installed
- Servers – Ensure NFS and RPC Services are Disabled
- Servers – Ensure Rsync Service is Disabled
- Servers – Ensure TCP SYN Cookies is Enabled
- Servers – Ensure IPv6 Default Deny Firewall Policy
- Servers – Ensure IPv6 Loopback Traffic is Configured
- Servers – Ensure IPv6 Outbound and Established Connections are Configured
- Servers – Verify IPv6 Open Ports Rules
- Servers – Ensure Default Deny Firewall Policy is Configured
- Servers – Ensure Loopback Traffic is Configured
- Servers – Ensure Outbound and Established Connections are Configured
- Servers – Ensure Iptables is Installed
- Servers – Ensure Packet Redirect Sending is Disabled
- Servers – Ensure Source Routed Packets are Not Accepted
- Servers – Ensure ICMP Redirects are Not Accepted
- Servers – Ensure Secure ICMP Redirects are Disabled
- Servers – Ensure Suspicious Packets Logging is Enabled
- Servers – Ensure Broadcast ICMP Requests are Ignored
- Servers – Ensure Bogus ICMP Responses are Ignored
- Servers – Ensure Reverse Path Filtering is Enabled
- Servers – Ensure Absence of IPv6 Router Advertisements
- Servers – Ensure SSH SSHD Config Permissions Are Configured
- Servers – Ensure SSH Private Host Key Permissions
- Servers – Ensure SSH Public Host Key Permissions Are Configured
- Servers – Ensure SSH Protocol is Set to 2
- Servers – Ensure SSH LogLevel is Appropriate
- Servers – Ensure SSH X11 Forwarding is Disabled
- Servers – Ensure SSH MaxAuthTries is Set to 4 or Less
- Servers – Ensure SSH IgnoreRhosts is Enabled
- Servers – Ensure SSH HostbasedAuthentication is Disabled
- Servers – Disable SSH Root Login
- Servers – Ensure SSH PermitEmptyPasswords is Disabled
- Servers – Verify SSH Strong Ciphers Strength
- Servers – Verify SSH Strong MAC Algorithms
- Servers – Verify SSH Strong Key Exchange Algorithms
- Servers – Ensure SSH Idle Timeout Interval is Configured
- Servers – Ensure SSH Login Grace Time is Configured
- Servers – Configure SSH Warning Banner
- Servers – Enable SSH PAM Authentication
- Servers – Configure SSH MaxStartups
- Servers – Verify SSH MaxSessions Configuration
- Servers – Ensure Password Creation Requirements are Configured
- Servers – Ensure Password Reuse is Limited
- Servers – Ensure Password Hashing Algorithm is SHA-512
- Servers – Ensure Password Expiration Days is 365 or Less
- Servers – Ensure Minimum Days Between Password Changes is 7 or More
- Servers – Ensure Password Expiration Warning Days is 7 or More
- Servers – Ensure Inactive Password Lock is 30 Days or Less
- Servers – Ensure All Users Last Password Change Date is in the Past
- Servers – Ensure System Accounts Are Secured
- Servers – Ensure Default Group for Root Account is GID 0
- Servers – Verify Default User Umask
- Servers – Ensure Default User Shell Timeout is 900 Seconds or Less
- Servers – Ensure Root Login is Restricted to System Console
- Servers – Ensure Access to su Command is Restricted
Servers – Disable SSH AllowTcpForwarding
Support > Fixing Checks > Server
06 March, 2026
This check ensures that SSH TCP forwarding is disabled on the server.
Allowing TCP forwarding can enable unauthorized tunneling of network traffic, which may be exploited for bypassing security controls, establishing backdoors, or exfiltrating sensitive data.
Check Details
- Resource: Server
- Check: Ensure SSH AllowTcpForwarding is disabled
- Risk: Enabled TCP forwarding can allow attackers to create encrypted tunnels for unauthorized access or data exfiltration.
Remediation Steps
- Open a terminal session with root or sudo privileges.
-
Verify current configuration:
sshd -T | grep -i allowtcpforwarding
-
Ensure the output is set to:
AllowTcpForwarding no -
Edit SSH configuration file:
sudo nano /etc/ssh/sshd_config
-
Add or modify the following line:
AllowTcpForwarding no
- Save the file and exit.
-
Restart SSH service:
sudo systemctl restart sshd
- Re-run the audit command to confirm the configuration is applied.
- Perform regular audits to ensure the setting is not reverted.