Linux

ssh_scan: A SSH configuration and policy scanner for Linux and UNIX server

The SSH (“Secure Shell”) protocol is a method for secure remote login from one system to another. Sysadmins and users use a secure channel over an unsecured network in a client-server architecture format for connecting an SSH client with an SSH server. Security ssh server is an important task. There is a tool called ssh_scan from Mozilla which act as a prototype SSH configuration and policy scanner for your SSHD.

Benefits of ssh_scan

From the project home page:

  1. Minimal Dependancies – Uses native Ruby and BinData to do its work, no heavy dependancies.
  2. Not Just a Script – Implementation is portable for use in another project or for automation of tasks.
  3. Simple – Just point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.
  4. Configurable – Make your own custom policies that fit your unique policy requirements.

Install dependancies

Type the following apt-get command/apt command to install ruby and gem on Debian/Ubuntu Linux:
$ sudo apt-get install ruby gem
Sample outputs:

Fig.01: Install ruby and gem
Fig.01: Install ruby and gem

Install ssh_scan

Type the following command to install ssh_scan as a gem:
$ sudo gem install ssh_scan
Sample outputs:

Fig.02: Installing ssh_scan using a gem
Fig.02: Installing ssh_scan using a gem

How do I use ssh_scan?

The syntax is:
$ ssh_scan -t ip
$ ssh_scan -t server
$ ssh_scan -t server1.cyberciti.biz

For example scan a ssh server installed at 192.168.2.15, enter:
$ ssh_scan -t 192.168.2.15
Sample outputs:

I, [2017-04-25T16:12:11.019160 #32317]  INFO -- : You're using the latest version of ssh_scan 0.0.19
[
  {
    "ssh_scan_version": "0.0.19",
    "ip": "192.168.2.15",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_7.4p1 Ubuntu-10",
    "ssh_version": 2.0,
    "os": "ubuntu",
    "os_cpe": "o:canonical:ubuntu",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:7.4p1",
    "cookie": "82d7cc908765f03154b10d5cdf14195a",
    "key_algorithms": [
      "curve25519-sha256",
      "[email protected]",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group14-sha1"
    ],
    "server_host_key_algorithms": [
      "ssh-rsa",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ssh-ed25519"
    ],
    "encryption_algorithms_client_to_server": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "encryption_algorithms_server_to_client": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "mac_algorithms_client_to_server": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "mac_algorithms_server_to_client": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "[email protected]"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "[email protected]"
    ],
    "languages_client_to_server": [

    ],
    "languages_server_to_client": [

    ],
    "hostname": "m6700",
    "auth_methods": [
      "publickey",
      "password"
    ],
    "fingerprints": {
      "rsa": {
        "known_bad": "false",
        "md5": "1d:14:84:f0:c7:21:10:0e:30:d9:f9:59:6b:c3:95:97",
        "sha1": "70:ac:7c:2c:94:54:aa:09:f2:58:f3:48:f0:9e:f2:a0:a2:37:f1:0a",
        "sha256": "6d:d8:20:c6:8e:e7:db:0d:94:9d:34:66:ba:b7:9c:68:8a:ea:79:19:a6:0d:76:cc:ec:fe:82:21:68:a5:64:74"
      }
    },
    "start_time": "2017-04-25 16:12:11 +0000",
    "end_time": "2017-04-25 16:12:11 +0000",
    "scan_duration_seconds": 0.118730486,
    "duplicate_host_key_ips": [

    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Remove these Key Exchange Algos: curve25519-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1",
        "Remove these MAC Algos: [email protected], [email protected], [email protected], hmac-sha1",
        "Remove these Authentication Methods: password"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    }
  }
]

To see all other options, enter:
$ ssh_scan -h
Sample outputs:

ssh_scan v0.0.19 (https://github.com/mozilla/ssh_scan)

Usage: ssh_scan [options]
    -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
    -f, --file [FilePath]            File Path of the file containing IP/Range/Hostnames to scan
    -T, --timeout [seconds]          Timeout per connect after which ssh_scan gives up on the host
    -L, --logger [Log File Path]     Enable logger
    -O, --from_json [FilePath]       File to read JSON output from
    -o, --output [FilePath]          File to write JSON output to
    -p, --port [PORT]                Port (Default: 22)
    -P, --policy [FILE]              Custom policy file (Default: Mozilla Modern)
        --threads [NUMBER]           Number of worker threads (Default: 5)
        --fingerprint-db [FILE]      File location of fingerprint database (Default: ./fingerprints.db)
        --suppress-update-status     Do not check for updates
    -u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status
    -V [STD_LOGGING_LEVEL],
        --verbosity
    -v, --version                    Display just version info
    -h, --help                       Show this message

Examples:

  ssh_scan -t 192.168.1.1
  ssh_scan -t server.example.com
  ssh_scan -t ::1
  ssh_scan -t ::1 -T 5
  ssh_scan -f hosts.txt
  ssh_scan -o output.json
  ssh_scan -O output.json -o rescan_output.json
  ssh_scan -t 192.168.1.1 -p 22222
  ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO
  ssh_scan -t 192.168.1.1 -P custom_policy.yml
  ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml

How do I secure and optimize my OpenSSH server?

  1. OpenSSH Security Best Practices
  2. For providing a sane baseline policy recommendation for SSH configuration parameters see this page

Source

Advertisements

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our privacy policy.