How to disable SSH TCP forwarding

Disabling SSH TCP forwarding prevents users from tunneling arbitrary TCP traffic through SSH sessions, closing off an easy way to bypass firewalls, egress controls, and network monitoring. Restricting forwarding is especially useful on bastion hosts, jump servers, and multi-user systems where shell access is allowed but network paths must remain tightly controlled.

In OpenSSH, TCP forwarding behavior is controlled on the server by directives in /etc/ssh/sshd_config such as AllowTcpForwarding and PermitOpen. These directives determine whether local and remote port forwarding are permitted at all, and optionally which destination host and port pairs can be reached through those tunnels. Settings can be applied globally or refined in Match blocks for specific users, groups, or source addresses.

Changing forwarding policy affects every SSH session handled by sshd and can break workflows that rely on tunnels, including database access, SOCKS proxies, or custom port mappings. Configuration changes should therefore be staged with a fallback access path, validated with sshd -t before restarting the service, and verified from a separate client to confirm that forwarding is truly blocked without locking out required access.

Steps to disable SSH TCP forwarding:

Open a terminal on the target Linux server using an account with sudo privileges.
```
$ whoami
admin
```

Create a backup of the current /etc/ssh/sshd_config file for rollback.

$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
$ ls -l /etc/ssh/sshd_config*
-rw-r----- 1 root root 3182 May 13 10:00 /etc/ssh/sshd_config
-rw-r----- 1 root root 3182 May 13 10:02 /etc/ssh/sshd_config.backup

The backup copy allows quick restoration if a configuration error prevents sshd from starting.

Open the SSH daemon configuration file in a text editor such as nano.
```
$ sudo nano /etc/ssh/sshd_config
```
Incorrect syntax in /etc/ssh/sshd_config can stop sshd from starting and block new SSH logins until the file is fixed.
Locate any existing AllowTcpForwarding directive and change its value to no, or add a new line in the global (non-Match) section.
```
/etc/ssh/sshd_config
AllowTcpForwarding no
```
AllowTcpForwarding no disables both local and remote TCP forwarding for sessions that use the global configuration unless a later Match block overrides it.
Optionally enforce that no forwarding destinations are allowed by setting PermitOpen to none.
```
/etc/ssh/sshd_config
PermitOpen none
```
PermitOpen limits which host:port pairs may be used for forwarding; setting it to none blocks all TCP forwarding destinations for sessions that use this stanza.
Optionally enable TCP forwarding only for specific accounts by combining the global disable with a Match User block that re-enables forwarding for selected users.
```
/etc/ssh/sshd_config
AllowTcpForwarding no
PermitOpen none

Match User tunneluser
    AllowTcpForwarding yes
    PermitOpen localhost:5432
```
Ensuring forwarding is enabled only where strictly required reduces the attack surface of bastion hosts and shared administrative accounts.
Save the changes in the editor and close the file so that /etc/ssh/sshd_config on disk reflects the new directives.
Validate the SSH daemon configuration syntax before restarting the service.
```
$ sudo sshd -t
```
No output from sshd -t indicates that the configuration is syntactically valid.
Restart the SSH service to apply the updated forwarding policy.
```
$ sudo systemctl restart ssh
```
On some distributions the service name is sshd instead of ssh, for example sudo systemctl restart sshd.

Confirm that the SSH service is running after the restart.

$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2025-12-11 10:15:01 UTC; 5s ago
##### snipped #####

From a separate client host, attempt to establish a TCP tunnel and verify that forwarding is rejected.
```
$ ssh -L 8080:example.com:80 user@server
channel 0: open failed: administratively prohibited: open failed
```
The administratively prohibited error confirms that SSH TCP forwarding is disabled by the server configuration.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.