简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW)
Home > System Tutorial > Linux > body text

How to remotely verify SSH service configuration and policy through ssh_scan

PHPz
Release: 2024-01-05 23:12:15
forward
459 people have browsed it
Introduction ssh_scan is an easy-to-use SSH service parameter configuration and policy scanner program for Linux and UNIX servers. Its ideas come from the Mozilla OpenSSH Security Guide. This guide provides a reliable security for SSH service parameter configuration. Recommendations for policy baselines, such as encryption algorithms (Ciphers), message authentication information code algorithms (MAC), key exchange algorithms (KexAlgos) and others.

How to remotely verify SSH service configuration and policy through ssh_scan

ssh_scan has the following benefits:

  • Its dependencies are minimized, ssh_scan only introduces local Ruby and BinData to perform its work, without too many dependencies.
  • It is portable, you can use ssh_scan in other projects or use it for automated tasks.
  • It is easy to use, simply point it to an SSH service and get a JSON-formatted report of the options and policy status supported by the service.
  • It is also easy to configure, so you can create a strategy that suits your strategic needs.

Recommended reading: How to install and configure the OpenSSH service on Linux

How to install ssh_scan on Linux

There are three ways to install ssh_scan:

Use Ruby gem to install and run, as follows: 

----------- 在 Debian/Ubuntu ----------- 
$ sudo apt-get install ruby gem
$ sudo gem install ssh_scan
----------- 在 CentOS/RHEL ----------- 
# yum install ruby rubygem
# gem install ssh_scan
Copy after login

Use docker container to run, as follows: 

# docker pull mozilla/ssh_scan
# docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com
Copy after login

Use the source code to install and run, as follows: 

# git clone https://github.com/mozilla/ssh_scan.git
# cd ssh_scan
# gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
# curl -sSL https://get.rvm.io | bash -s stable
# rvm install 2.3.1
# rvm use 2.3.1
# gem install bundler
# bundle install
# ./bin/ssh_scan
Copy after login
How to use ssh_scan on Linux

The syntax for using ssh_scan is as follows: 

$ ssh_scan -t ip地址
$ ssh_scan -t 主机名
Copy after login

For example, to scan the SSH configuration and policy of this server 192.168.43.198, type: 

$ ssh_scan -t 192.168.43.198
Copy after login

Note that you can also pass an [IP address/address range/host name] to the -t option as shown below: 

$ ssh_scan -t 192.168.43.198,200,205
$ ssh_scan -t test.tecmint.lan
Copy after login

Output example: 

I, [2017-05-09T10:36:17.913644 #7145]  INFO -- : You're using the latest version of ssh_scan 0.0.19
[
  {
    "ssh_scan_version": "0.0.19",
    "ip": "192.168.43.198",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1",
    "ssh_version": 2.0,
    "os": "ubuntu",
    "os_cpe": "o:canonical:ubuntu:16.04",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:7.2p2",
    "cookie": "68b17bcca652eeaf153ed18877770a38",
    "key_algorithms": [
      "[email protected]",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group14-sha1"
    ],
    "server_host_key_algorithms": [
      "ssh-rsa",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ssh-ed25519"
    ],
    "encryption_algorithms_client_to_server": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "encryption_algorithms_server_to_client": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "mac_algorithms_client_to_server": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "mac_algorithms_server_to_client": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "[email protected]"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "[email protected]"
    ],
    "languages_client_to_server": [
    ],
    "languages_server_to_client": [
    ],
    "hostname": "tecmint",
    "auth_methods": [
      "publickey",
      "password"
    ],
    "fingerprints": {
      "rsa": {
        "known_bad": "false",
        "md5": "0e:d0:d7:11:f0:9b:f8:33:9c:ab:26:77:e5:66:9e:f4",
        "sha1": "fc:8d:d5:a1:bf:52:48:a6:7e:f9:a6:2f:af:ca:e2:f0:3a:9a:b7:fa",
        "sha256": "ff:00:b4:a4:40:05:19:27:7c:33:aa:db:a6:96:32:88:8e:bf:05:a1:81:c0:a4:a8:16:01:01:0b:20:37:81:11"
      }
    },
    "start_time": "2017-05-09 10:36:17 +0300",
    "end_time": "2017-05-09 10:36:18 +0300",
    "scan_duration_seconds": 0.221573169,
    "duplicate_host_key_ips": [
    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Remove these Key Exchange Algos: diffie-hellman-group14-sha1",
        "Remove these MAC Algos: [email protected], [email protected], [email protected], hmac-sha1",
        "Remove these Authentication Methods: password"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    }
  }
]
Copy after login

You can use the -p option to specify different ports, the -L option to enable logging, and the -V option to specify the log level: 

$ ssh_scan -t 192.168.43.198 -p 22222 -L ssh-scan.log -V INFO
Copy after login

In addition, you can use the -P or --policy option to specify a policy file (the default is Mozilla Modern): 

$ ssh_scan -t 192.168.43.198 -L ssh-scan.log -V INFO -P /path/to/custom/policy/file
Copy after login

ssh_scan usage help and other examples:

$ ssh_scan -h
Copy after login

Output example: 

ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan)
Usage: ssh_scan [options]
-t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
-f, --file [FilePath]            File Path of the file containing IP/Range/Hostnames to scan
-T, --timeout [seconds]          Timeout per connect after which ssh_scan gives up on the host
-L, --logger [Log File Path]     Enable logger
-O, --from_json [FilePath]       File to read JSON output from
-o, --output [FilePath]          File to write JSON output to
-p, --port [PORT]                Port (Default: 22)
-P, --policy [FILE]              Custom policy file (Default: Mozilla Modern)
--threads [NUMBER]           Number of worker threads (Default: 5)
--fingerprint-db [FILE]      File location of fingerprint database (Default: ./fingerprints.db)
--suppress-update-status     Do not check for updates
-u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status
-V [STD_LOGGING_LEVEL],
--verbosity
-v, --version                    Display just version info
-h, --help                       Show this message
Examples:
ssh_scan -t 192.168.1.1
ssh_scan -t server.example.com
ssh_scan -t ::1
ssh_scan -t ::1 -T 5
ssh_scan -f hosts.txt
ssh_scan -o output.json
ssh_scan -O output.json -o rescan_output.json
ssh_scan -t 192.168.1.1 -p 22222
ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO
ssh_scan -t 192.168.1.1 -P custom_policy.yml
ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
Copy after login

SSH server related reference reading:

  1. Use SSH Keygen (ssh-keygen) in five steps to implement SSH password-free login
  2. 5 Best Practices for a Secure SSH Server
  3. Use Chroot to restrict SSH users from entering certain directories
  4. How to configure an SSH connection to simplify remote login

The above is the detailed content of How to remotely verify SSH service configuration and policy through ssh_scan. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
linux linux tutorial Red Hat linux system linux command linux certification red hat linux linux video
source:linuxprobe.com
Previous article:Detailed explanation of how to use the mail command mail in CentOS Next article:Use Ansible to automate the deployment of serverless applications
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact [email protected]
Latest articles by author
Latest issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0 1 387
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0 6 468
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0 1 462
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0 0 325
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0 0 419
PX automatic conversion to REM error  <style>html {   font-size: calc(100vw / 3.75);      }...
From 2024-04-16 09:34:16
0 0 4003
PHP arrays obtained from URL parameters do not behave as expected I have a URL parameter that contains the category ID and I want to treat it as an array li...
From 2024-04-06 22:09:02
0 1 733
Move the content to the left by adding the Width property I have provided margins to the body. main {left margin: 200px; right margin: 200px; text a...
From 2024-04-06 22:01:35
0 3 526
Where should I place CustomLog directive in apache I'm using php:7.2-apachedocker. I need to disable health check url login access log. Based...
From 2024-04-06 22:03:59
0 1 651
What is the format of the variables in the return value? I am a new learner of php. I found a piece of code: if($x<time()){return[false,'error']...
From 2024-04-06 21:55:20
0 1 405
Related topics
More>
Popular recommendations
Popular Tutorials
More>
Related tutorials
Popular recommendations
Latest courses
Latest downloads
More>
web effects
Website source code
Website materials
Front end template
About us Disclaimer Sitemap
PHP Chinese website:Public welfare online PHP training,Help PHP learners grow quickly!