https://www.2daygeek.com/ssh_scan-a-prototype-ssh-configuration-and-policy-scanner-for-linux
openSSH stands for Secure Shell is an evergreen tool
to connect remote Linux server securely. Security is one of the major
task for Linux administrator that to two types, application & server
level security.
We have wrote many articles about ssh and its security, today also we are going to discuss about ssh security with help of ssh_scan application. By default ssh configuration enable vast of security options which already provide good security but still you can secure more option based on your environment and requirement.
What’s ssh_scan ssh_scan is a prototype SSH configuration and policy scanner for Linux and UNIX servers, which will scan destination host and tells you list of configured options. Also recommends possible policy, Algorithms and configuration parameters such as KexAlgorithms, Ciphers, MACs & sandbox, etc.,
To install and run as a gem, type:
For Debian/Ubuntu :
common syntax for ssh_scan
To view more options about ssh_scan.
We have wrote many articles about ssh and its security, today also we are going to discuss about ssh security with help of ssh_scan application. By default ssh configuration enable vast of security options which already provide good security but still you can secure more option based on your environment and requirement.
What’s ssh_scan ssh_scan is a prototype SSH configuration and policy scanner for Linux and UNIX servers, which will scan destination host and tells you list of configured options. Also recommends possible policy, Algorithms and configuration parameters such as KexAlgorithms, Ciphers, MACs & sandbox, etc.,
Suggested Read : PSSH – Execute Commands on Multiple Linux Servers in Parallel
ssh_scan is a free and opensource application inspired by Mozilla openssh security guidelines.
Suggested Read : rtop – A Nifty Tool to Monitor Remote Server Over SSH
Additional Key Benefits for ssh_scan
- It Uses native Ruby and BinData to scan the system and requires very minimal dependencies.
- It’s not just a script and portable application which can be used in another project or for automation of tasks.
- Simple point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.
- Highly configurable so we can custom our own policies that fit our unique policy requirements.
How to Install ssh_scan in Linux
There is no official distribution package for ssh_scan but we can easily install ssh_scan on Linux through gem as well as source package.To install and run as a gem, type:
For Debian/Ubuntu :
$ sudo apt-get install ruby gem $ sudo gem install ssh_scanFor CentOS/RHEL :
$ sudo yum install ruby gem $ sudo gem install ssh_scanFor Fedora :
$ sudo dnf install ruby gem $ sudo gem install ssh_scanFor Arch Linux :
$ sudo pacman -S ruby gem $ sudo gem install ssh_scanFor openSUSE :
$ sudo zypper install ruby gem $ sudo gem install ssh_scanTo run from a docker container, type:
# docker pull mozilla/ssh_scan # docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.comTo install and run from source, type:
# git clone https://github.com/mozilla/ssh_scan.git && cd ssh_scan # gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 # curl -sSL https://get.rvm.io | bash -s stable # rvm install 2.3.1 # rvm use 2.3.1 # gem install bundler # bundle install # ./bin/ssh_scan
How to Use ssh_scan
There is no difficulty to use ssh_scan since it uses simple syntax.common syntax for ssh_scan
$ ssh_scan -t IP or IP Range $ ssh_scan -t Hostname $ ssh_scan -f hosts.txt $ ssh_scan -t IP -p 2200To scan SSH configuration and policy of server 192.168.1.100.
$ sudo ssh_scan -t 192.168.1.100
[
{
"ssh_scan_version": "0.0.20",
"ip": "192.168.1.100",
"port": 22,
"server_banner": "SSH-2.0-OpenSSH_6.6.1",
"ssh_version": 2.0,
"os": "unknown",
"os_cpe": "o:unknown",
"ssh_lib": "openssh",
"ssh_lib_cpe": "a:openssh:openssh:6.6.1",
"cookie": "cfc96dee8182b2e4f18e976900d86f8a",
"key_algorithms": [
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group-exchange-sha1",
"diffie-hellman-group14-sha1",
"diffie-hellman-group1-sha1"
],
"server_host_key_algorithms": [
"ssh-rsa",
"ecdsa-sha2-nistp256"
],
"encryption_algorithms_client_to_server": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"arcfour256",
"arcfour128",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"chacha20-poly1305@openssh.com",
"aes128-cbc",
"3des-cbc",
"blowfish-cbc",
"cast128-cbc",
"aes192-cbc",
"aes256-cbc",
"arcfour",
"rijndael-cbc@lysator.liu.se"
],
"encryption_algorithms_server_to_client": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"arcfour256",
"arcfour128",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"chacha20-poly1305@openssh.com",
"aes128-cbc",
"3des-cbc",
"blowfish-cbc",
"cast128-cbc",
"aes192-cbc",
"aes256-cbc",
"arcfour",
"rijndael-cbc@lysator.liu.se"
],
"mac_algorithms_client_to_server": [
"hmac-md5-etm@openssh.com",
"hmac-sha1-etm@openssh.com",
"umac-64-etm@openssh.com",
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-ripemd160-etm@openssh.com",
"hmac-sha1-96-etm@openssh.com",
"hmac-md5-96-etm@openssh.com",
"hmac-md5",
"hmac-sha1",
"umac-64@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-ripemd160",
"hmac-ripemd160@openssh.com",
"hmac-sha1-96",
"hmac-md5-96"
],
"mac_algorithms_server_to_client": [
"hmac-md5-etm@openssh.com",
"hmac-sha1-etm@openssh.com",
"umac-64-etm@openssh.com",
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-ripemd160-etm@openssh.com",
"hmac-sha1-96-etm@openssh.com",
"hmac-md5-96-etm@openssh.com",
"hmac-md5",
"hmac-sha1",
"umac-64@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-ripemd160",
"hmac-ripemd160@openssh.com",
"hmac-sha1-96",
"hmac-md5-96"
],
"compression_algorithms_client_to_server": [
"none",
"zlib@openssh.com"
],
"compression_algorithms_server_to_client": [
"none",
"zlib@openssh.com"
],
"languages_client_to_server": [
],
"languages_server_to_client": [
],
"hostname": "100.ip-192-168-1.net",
"auth_methods": [
"publickey",
"gssapi-keyex",
"gssapi-with-mic",
"password"
],
"fingerprints": {
"rsa": {
"known_bad": "false",
"md5": "ca:fc:0e:90:e0:91:dc:f3:47:63:8f:27:8c:f7:1e:a2",
"sha1": "19:60:a2:2e:72:d7:01:32:fa:a8:8f:ae:6c:d3:b1:2c:b3:26:47:a9",
"sha256": "b4:96:56:a9:26:62:09:12:8c:43:d5:cc:96:4b:d2:4f:1b:0d:64:67:f9:07:4c:50:1f:c2:49:d3:c2:3e:83:f4"
}
},
"start_time": "2017-05-18 15:40:50 +0530",
"end_time": "2017-05-18 15:40:54 +0530",
"scan_duration_seconds": 4.246350176,
"duplicate_host_key_ips": [
],
"compliance": {
"policy": "Mozilla Modern",
"compliant": false,
"recommendations": [
"Remove these Key Exchange Algos: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
"Remove these MAC Algos: hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96",
"Remove these Encryption Ciphers: arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se",
"Remove these Authentication Methods: gssapi-keyex, gssapi-with-mic, password"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
]
}
}
]
Additionally you can pass more than one IP in single shot.$ ssh_scan -t 192.168.1.100,101,102Also you can pass hostname instead of IP address.
$ ssh_scan -t server.2daygeek.comTo get input from file.
$ ssh_scan -f hosts.txtTo scan non standard port ssh server.
$ ssh_scan -t 192.168.1.100 -p 2200
$ ssh_scan -h
No comments:
Post a Comment