Detections
Analytics

5.1.24 Ensure sshd ListenAddress is configured

Information

The ListenAddress parameter specifies the local addresses sshd(8) should listen on. The following forms may be used:

ListenAddress hostname|address [rdomain domain]
ListenAddress hostname:port [rdomain domain]
ListenAddress IPv4_address:port [rdomain domain]
ListenAddress [hostname|address]:port [rdomain domain]

The optional rdomain qualifier requests sshd(8) listen in an explicit routing domain. If port is not specified, sshd will listen on the address and all Port options specified. The default is to listen on all local addresses on the current default routing domain. Multiple ListenAddress options are permitted. For more information on routing domains, see rdomain(4).

Restricting sshd to specific IP address(es) reduces unnecessary network exposure and limits access to approved interfaces only, minimizing the system's attack surface.

Solution

Create or edit a *.conf file in the /etc/ssh/sshd_config.d/ directory to set the ListenAddress parameter to a private network interface above any Include entry as follows: Example:

ListenAddress 192.168.1.14:22

Impact:

If the ListenAddress is set incorrectly (wrong IP, missing interface IP, or binding only to an address not reachable by intended clients), remote SSH access may be disrupted. Ensure out-of-band/console access exists before making changes.

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 7f9c03041e7cdfe732ee44054d347167f5f08e2359550c70c55c61eb67fcd576