The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-223214 | SRG-APP-000142-NDM-000245 | JUSX-DM-000114 | SV-223214r1043177_rule | 2024-12-20 | 3 |
Description
Use this configuration option to prevent a user from creating an SSH tunnel over a CLI session to the Juniper SRX via SSH. This type of tunnel could be used to forward TCP traffic, bypassing any firewall filters or ACLs, allowing unauthorized access.
ℹ️ Check
Use the CLI to view this setting for disabled for SSH.
[edit]
show system services ssh
If TCP forwarding is not disabled for the root user, this is a finding.
✔️ Fix
From the configuration mode, enter the following commands to disable TCP forwarding for the SSH protocol.
[edit]
set system services ssh no-tcp-forwarding