ssh_scan - verifica la configuración y la política de su servidor SSH en Linux


ssh_scan es un prototipo de escáner de políticas y configuración de SSH fácil de usar para servidores Linux y UNIX, inspirado en la Guía de seguridad OpenSSH de Mozilla, que proporciona una recomendación de política de referencia razonable para los parámetros de configuración de SSH como Ciphers, MAC , y KexAlgos y mucho más.

Tiene algunos de los siguientes beneficios:

  • It has minimal dependencies, ssh_scan only employs native Ruby and BinData to do its work, no heavy dependencies.
  • It’s portable, you can use ssh_scan in another project or for automation of tasks.
  • It’s easy to use, simply point it at an SSH service and get a JSON report of what it supports and it’s policy status.
  • It’s also configurable, you can create your own custom policies that fit your specific policy requirements.

Cómo instalar ssh_scan en Linux

Hay tres formas de instalar ssh_scan y son:

Para instalar y ejecutar como una joya, escriba:

----------- On Debian/Ubuntu ----------- 
$ sudo apt-get install ruby gem
$ sudo gem install ssh_scan

----------- On CentOS/RHEL ----------- 
# yum install ruby rubygem
# gem install ssh_scan

Para ejecutar desde un contenedor docker, escriba:

# docker pull mozilla/ssh_scan
# docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com

Para instalar y ejecutar desde la fuente, escriba:

# git clone https://github.com/mozilla/ssh_scan.git
# cd ssh_scan
# gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
# curl -sSL https://get.rvm.io | bash -s stable
# rvm install 2.3.1
# rvm use 2.3.1
# gem install bundler
# bundle install
# ./bin/ssh_scan

Cómo usar ssh_scan en Linux

La sintaxis para usar ssh_scan es la siguiente:

$ ssh_scan -t ip-address
$ ssh_scan -t server-hostname

Por ejemplo, para analizar configuraciones y políticas SSH del servidor 92.168.43.198 , ingrese:

$ ssh_scan -t 192.168.43.198

Tenga en cuenta que también puede pasar un [IP/Range/Hostname] a la opción -t como se muestra en las siguientes opciones:

$ ssh_scan -t 192.168.43.198,200,205
$ ssh_scan -t test.tecmint.lan
I, [2017-05-09T10:36:17.913644 #7145]  INFO -- : You're using the latest version of ssh_scan 0.0.19
[
  {
    "ssh_scan_version": "0.0.19",
    "ip": "192.168.43.198",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1",
    "ssh_version": 2.0,
    "os": "ubuntu",
    "os_cpe": "o:canonical:ubuntu:16.04",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:7.2p2",
    "cookie": "68b17bcca652eeaf153ed18877770a38",
    "key_algorithms": [
      "[email protected]",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group14-sha1"
    ],
    "server_host_key_algorithms": [
      "ssh-rsa",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ssh-ed25519"
    ],
    "encryption_algorithms_client_to_server": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "encryption_algorithms_server_to_client": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "mac_algorithms_client_to_server": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "mac_algorithms_server_to_client": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "[email protected]"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "[email protected]"
    ],
    "languages_client_to_server": [

    ],
    "languages_server_to_client": [

    ],
    "hostname": "tecmint",
    "auth_methods": [
      "publickey",
      "password"
    ],
    "fingerprints": {
      "rsa": {
        "known_bad": "false",
        "md5": "0e:d0:d7:11:f0:9b:f8:33:9c:ab:26:77:e5:66:9e:f4",
        "sha1": "fc:8d:d5:a1:bf:52:48:a6:7e:f9:a6:2f:af:ca:e2:f0:3a:9a:b7:fa",
        "sha256": "ff:00:b4:a4:40:05:19:27:7c:33:aa:db:a6:96:32:88:8e:bf:05:a1:81:c0:a4:a8:16:01:01:0b:20:37:81:11"
      }
    },
    "start_time": "2017-05-09 10:36:17 +0300",
    "end_time": "2017-05-09 10:36:18 +0300",
    "scan_duration_seconds": 0.221573169,
    "duplicate_host_key_ips": [

    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Remove these Key Exchange Algos: diffie-hellman-group14-sha1",
        "Remove these MAC Algos: [email protected], [email protected], [email protected], hmac-sha1",
        "Remove these Authentication Methods: password"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    }
  }
]

Puede usar -p para especificar un puerto diferente, -L para habilitar el registrador y -V para definir el nivel de verbosidad como se muestra a continuación:

$ ssh_scan -t 192.168.43.198 -p 22222 -L ssh-scan.log -V INFO

Además, use un archivo de políticas personalizadas (el valor predeterminado es Mozilla Modern) con el -P o --policy [FILE] , así:

$ ssh_scan -t 192.168.43.198 -L ssh-scan.log -V INFO -P /path/to/custom/policy/file

Escriba esto para ver todas las opciones de uso de ssh_scan y más ejemplos:

$ ssh_scan -h
ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan)

Usage: ssh_scan [options]
    -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
    -f, --file [FilePath]            File Path of the file containing IP/Range/Hostnames to scan
    -T, --timeout [seconds]          Timeout per connect after which ssh_scan gives up on the host
    -L, --logger [Log File Path]     Enable logger
    -O, --from_json [FilePath]       File to read JSON output from
    -o, --output [FilePath]          File to write JSON output to
    -p, --port [PORT]                Port (Default: 22)
    -P, --policy [FILE]              Custom policy file (Default: Mozilla Modern)
        --threads [NUMBER]           Number of worker threads (Default: 5)
        --fingerprint-db [FILE]      File location of fingerprint database (Default: ./fingerprints.db)
        --suppress-update-status     Do not check for updates
    -u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status
    -V [STD_LOGGING_LEVEL],
        --verbosity
    -v, --version                    Display just version info
    -h, --help                       Show this message

Examples:

  ssh_scan -t 192.168.1.1
  ssh_scan -t server.example.com
  ssh_scan -t ::1
  ssh_scan -t ::1 -T 5
  ssh_scan -f hosts.txt
  ssh_scan -o output.json
  ssh_scan -O output.json -o rescan_output.json
  ssh_scan -t 192.168.1.1 -p 22222
  ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO
  ssh_scan -t 192.168.1.1 -P custom_policy.yml
  ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml

Echa un vistazo a algunos artículos útiles en el servidor SSH:

  1. SSH Passwordless Login Using SSH Keygen in 5 Easy Steps
  2. 5 Best Practices to Secure SSH Server
  3. Restrict SSH User Access to Certain Directory Using Chrooted Jail
  4. How to Configure Custom SSH Connections to Simplify Remote Access

Para obtener más detalles, visite el repositorio de Gshub ssh_scan: https://github.com/mozilla/ssh_scan

En este artículo, le mostramos cómo configurar y usar ssh_scan en Linux. ¿Conoces alguna herramienta similar por ahí? Háganos saber a través del formulario de comentarios a continuación, incluyendo cualquier otra idea relacionada con esta guía.