Wednesday, January 10, 2018

ssh_scan: A Prototype SSH Configuration And Policy Scanner For Linux

https://www.2daygeek.com/ssh_scan-a-prototype-ssh-configuration-and-policy-scanner-for-linux

openSSH stands for Secure Shell is an evergreen tool to connect remote Linux server securely. Security is one of the major task for Linux administrator that to two types, application & server level security.
We have wrote many articles about ssh and its security, today also we are going to discuss about ssh security with help of ssh_scan application. By default ssh configuration enable vast of security options which already provide good security but still you can secure more option based on your environment and requirement.
What’s ssh_scan ssh_scan is a prototype SSH configuration and policy scanner for Linux and UNIX servers, which will scan destination host and tells you list of configured options. Also recommends possible policy, Algorithms and configuration parameters such as KexAlgorithms, Ciphers, MACs & sandbox, etc.,
ssh_scan is a free and opensource application inspired by Mozilla openssh security guidelines.

Additional Key Benefits for ssh_scan

  • It Uses native Ruby and BinData to scan the system and requires very minimal dependencies.
  • It’s not just a script and portable application which can be used in another project or for automation of tasks.
  • Simple point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.
  • Highly configurable so we can custom our own policies that fit our unique policy requirements.

How to Install ssh_scan in Linux

There is no official distribution package for ssh_scan but we can easily install ssh_scan on Linux through gem as well as source package.
To install and run as a gem, type:
For Debian/Ubuntu :
$ sudo apt-get install ruby gem
$ sudo gem install ssh_scan
For CentOS/RHEL :
$ sudo yum install ruby gem
$ sudo gem install ssh_scan
For Fedora :
$ sudo dnf install ruby gem
$ sudo gem install ssh_scan
For Arch Linux :
$ sudo pacman -S ruby gem
$ sudo gem install ssh_scan
For openSUSE :
$ sudo zypper install ruby gem
$ sudo gem install ssh_scan
To run from a docker container, type:
# docker pull mozilla/ssh_scan
# docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com
To install and run from source, type:
# git clone https://github.com/mozilla/ssh_scan.git && cd ssh_scan
# gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
# curl -sSL https://get.rvm.io | bash -s stable
# rvm install 2.3.1
# rvm use 2.3.1
# gem install bundler
# bundle install
# ./bin/ssh_scan

How to Use ssh_scan

There is no difficulty to use ssh_scan since it uses simple syntax.
common syntax for ssh_scan
$ ssh_scan -t IP or IP Range
$ ssh_scan -t Hostname
$ ssh_scan -f hosts.txt
$ ssh_scan -t IP -p 2200
To scan SSH configuration and policy of server 192.168.1.100.
$ sudo ssh_scan -t 192.168.1.100
[
  {
    "ssh_scan_version": "0.0.20",
    "ip": "192.168.1.100",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_6.6.1",
    "ssh_version": 2.0,
    "os": "unknown",
    "os_cpe": "o:unknown",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:6.6.1",
    "cookie": "cfc96dee8182b2e4f18e976900d86f8a",
    "key_algorithms": [
      "curve25519-sha256@libssh.org",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group-exchange-sha1",
      "diffie-hellman-group14-sha1",
      "diffie-hellman-group1-sha1"
    ],
    "server_host_key_algorithms": [
      "ssh-rsa",
      "ecdsa-sha2-nistp256"
    ],
    "encryption_algorithms_client_to_server": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "arcfour256",
      "arcfour128",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "chacha20-poly1305@openssh.com",
      "aes128-cbc",
      "3des-cbc",
      "blowfish-cbc",
      "cast128-cbc",
      "aes192-cbc",
      "aes256-cbc",
      "arcfour",
      "rijndael-cbc@lysator.liu.se"
    ],
    "encryption_algorithms_server_to_client": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "arcfour256",
      "arcfour128",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "chacha20-poly1305@openssh.com",
      "aes128-cbc",
      "3des-cbc",
      "blowfish-cbc",
      "cast128-cbc",
      "aes192-cbc",
      "aes256-cbc",
      "arcfour",
      "rijndael-cbc@lysator.liu.se"
    ],
    "mac_algorithms_client_to_server": [
      "hmac-md5-etm@openssh.com",
      "hmac-sha1-etm@openssh.com",
      "umac-64-etm@openssh.com",
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-ripemd160-etm@openssh.com",
      "hmac-sha1-96-etm@openssh.com",
      "hmac-md5-96-etm@openssh.com",
      "hmac-md5",
      "hmac-sha1",
      "umac-64@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-ripemd160",
      "hmac-ripemd160@openssh.com",
      "hmac-sha1-96",
      "hmac-md5-96"
    ],
    "mac_algorithms_server_to_client": [
      "hmac-md5-etm@openssh.com",
      "hmac-sha1-etm@openssh.com",
      "umac-64-etm@openssh.com",
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-ripemd160-etm@openssh.com",
      "hmac-sha1-96-etm@openssh.com",
      "hmac-md5-96-etm@openssh.com",
      "hmac-md5",
      "hmac-sha1",
      "umac-64@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-ripemd160",
      "hmac-ripemd160@openssh.com",
      "hmac-sha1-96",
      "hmac-md5-96"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "zlib@openssh.com"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "zlib@openssh.com"
    ],
    "languages_client_to_server": [

    ],
    "languages_server_to_client": [

    ],
    "hostname": "100.ip-192-168-1.net",
    "auth_methods": [
      "publickey",
      "gssapi-keyex",
      "gssapi-with-mic",
      "password"
    ],
    "fingerprints": {
      "rsa": {
        "known_bad": "false",
        "md5": "ca:fc:0e:90:e0:91:dc:f3:47:63:8f:27:8c:f7:1e:a2",
        "sha1": "19:60:a2:2e:72:d7:01:32:fa:a8:8f:ae:6c:d3:b1:2c:b3:26:47:a9",
        "sha256": "b4:96:56:a9:26:62:09:12:8c:43:d5:cc:96:4b:d2:4f:1b:0d:64:67:f9:07:4c:50:1f:c2:49:d3:c2:3e:83:f4"
      }
    },
    "start_time": "2017-05-18 15:40:50 +0530",
    "end_time": "2017-05-18 15:40:54 +0530",
    "scan_duration_seconds": 4.246350176,
    "duplicate_host_key_ips": [

    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Remove these Key Exchange Algos: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
        "Remove these MAC Algos: hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96",
        "Remove these Encryption Ciphers: arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se",
        "Remove these Authentication Methods: gssapi-keyex, gssapi-with-mic, password"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    }
  }
]

Additionally you can pass more than one IP in single shot.
$ ssh_scan -t 192.168.1.100,101,102
Also you can pass hostname instead of IP address.
$ ssh_scan -t server.2daygeek.com
To get input from file.
$ ssh_scan -f hosts.txt
To scan non standard port ssh server.
$ ssh_scan -t 192.168.1.100 -p 2200
To view more options about ssh_scan.
$ ssh_scan -h

No comments:

Post a Comment