I'm curious about the general consensus among sysadmins regarding TCP port forwarding on SSH servers. Do many of you allow port forwarding when someone has access to the SSH server, particularly if that server is part of the wider internal network? I noticed that on most server distributions, TCP port forwarding seems to be enabled by default, and I'm wondering if that's a best practice.
5 Answers
As a non-network specialist, I think it's crucial to limit outside access. Ideally, external users should connect through a VPN before accessing internal resources. SSH can serve a similar purpose to a VPN for secure connections.
Some use cases justify port forwarding, but it should be disabled by default. It’s better to ensure you only enable it when there's a real need.
There's been a lot of chatter about this. Disabling it doesn't solve everything; if someone can execute commands, they can still bypass restrictions in other ways. We monitor it closely and allow it only for specific troubleshooting purposes.
Definitely don't allow that! Most compliance standards recommend disabling TCP port forwarding for security. It's a common rule among frameworks like CIS and STIG.
In our setup, SSH services are only active when absolutely necessary, and we avoid port forwarding unless there's a particular reason. It just minimizes risks.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures