Shulou(Shulou.com)06/01 Report--

This article mainly shows you the "linux ssh_scan how to remotely verify the configuration and strategy of SSH services", the content is easy to understand, well-organized, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to remotely verify the configuration and strategy of SSH services in ssh_scan in linux" this article.

Ssh_scan is an easy-to-use SSH service parameter configuration and policy scanner program for Linux and UNIX servers. The idea comes from the Mozilla OpenSSH Security Guide, which provides a reliable security policy baseline recommendation for SSH service parameter configuration, such as encryption algorithm (Ciphers), message authentication information code algorithm (MAC), key exchange algorithm (KexAlgos) and others.

Ssh_scan has the following benefits:

Its dependencies are minimized, and ssh_scan only introduces native Ruby and BinData to do its work, without too many dependencies.

It is portable, and you can use ssh_scan in other projects or on automated tasks.

It is easy to use, and you can simply point it to a SSH service to get a JSON report on the status of options and policies supported by that service.

It is also easy to configure, and you can create policies that suit your policy needs.

Recommended reading: how to install and configure the OpenSSH service on Linux

How to install ssh_scan on Linux

There are three ways to install ssh_scan:

Use Ruby gem to install and run, as follows:

-in Debian/Ubuntu-$sudo apt-get install rubygem $sudo gem install ssh_scan-in CentOS/RHEL-# yum install ruby rubygem # gem install ssh_scan

Run using the docker container, as follows:

# docker pull mozilla/ssh_scan # docker run-it mozilla/ssh_scan / app/bin/ssh_scan-t github.com

Use the source code to install and run as follows:

# git clone https://github.com/mozilla/ssh_scan.git # cd ssh_scan # gpg2-keyserver hkp://keys.gnupg.net-- recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 # curl-sSL https://get.rvm.io | bash-s stable # rvm install 2.3.1 # rvm use 2.3.1 # gem install bundler # bundle install #. / bin/ssh_scan

How to use ssh_scan on Linux

The syntax for using ssh_scan is as follows:

$ssh_scan-t ip address $ssh_scan-t hostname

For example, to scan the SSH configuration and policy for the server 192.168.43.198, type:

$ssh_scan-t 192.168.43.198

Note that you can also pass a [IP address / address field / hostname] to the-t option as shown below:

$ssh_scan-t 192.168.43.198200205 $ssh_scan-t test.tecmint.lan

Sample output:

I, [2017-05-09T10:36:17.913644 # 7145] INFO -: You're using the latest version of ssh_scan 0.0.19 [{"ssh_scan_version": "0.0.19", "ip": "192.168.43.198", "port": 22, "server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1" "ssh_version": 2. 0, "os": "ubuntu", "os_cpe": "o:canonical:ubuntu:16.04", "ssh_lib": "openssh", "ssh_lib_cpe": "a:openssh:openssh:7.2p2", "cookie": "68b17bcca652eeaf153ed18877770a38", "key_algorithms": ["curve25519-sha256@libssh.org" "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha1"], "server_host_key_algorithms": ["ssh-rsa", "rsa-sha2-512", "rsa-sha2-256"," ecdsa-sha2-nistp256 " "ssh-ed25519"], "encryption_algorithms_client_to_server": ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"] Encryption_algorithms_server_to_client: ["chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"], "mac_algorithms_client_to_server": ["umac-64-etm@openssh.com" "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256"," hmac-sha2-512" "hmac-sha1"], "mac_algorithms_server_to_client": ["umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com" "umac-128@openssh.com", "hmac-sha2-256"," hmac-sha2-512 "," hmac-sha1 "]," compression_algorithms_client_to_server ": [" none "," zlib@openssh.com "]," compression_algorithms_server_to_client ": [" none " "zlib@openssh.com"], "languages_client_to_server": [], "languages_server_to_client": [], "hostname": "tecmint", "auth_methods": ["publickey", "password"] "fingerprints": {"rsa": {"known_bad": "false", "md5": "0e:d0:d7:11:f0:9b:f8:33:9c:ab:26:77:e5:66:9e:f4", "sha1": "fc:8d:d5:a1:bf:52:48:a6:7e:f9:a6:2f:af:ca:e2:f0:3a:9a:b7:fa" "sha256": "ff:00:b4:a4:40:05:19:27:7c:33:aa:db:a6:96:32:88:8e:bf:05:a1:81:c0:a4:a8:16:01:01:0b:20:37:81:11"}}, "start_time": "2017-05-09 10 purl 36V 17 + 0300" "end_time": "2017-05-09 10:36:18 + 0300", "scan_duration_seconds": 0.221573169, "duplicate_host_key_ips": [], "compliance": {"policy": "Mozilla Modern", "compliant": false, "recommendations": ["Remove these Key Exchange Algos: diffie-hellman-group14-sha1" "Remove these MAC Algos: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1", "Remove these Authentication Methods: password"], "references": ["https://wiki.mozilla.org/Security/Guidelines/OpenSSH"]}}]

You can use the-p option to specify different ports, and the-L option to enable logging with the-V option to specify the log level:

$ssh_scan-t 192.168.43.198-p 22222-L ssh-scan.log-V INFO

In addition, you can use the-P or-- policy options to specify a policy file (default is Mozilla Modern) (LCTT translation note: the Modern here may refer to the Modern compatibility mentioned in https://wiki.mozilla.org/Security/Server_Side_TLS):

$ssh_scan-t 192.168.43.198-L ssh-scan.log-V INFO-P / path/to/custom/policy/file

Ssh_scan usage help and other examples:

$ssh_scan-h

Sample output:

Ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan) Usage: ssh_scan [options]-t,-- target [IP/Range/Hostname] IP/Ranges/Hostname to scan-f,-- file [FilePath] FilePath of the file containing IP/Range/Hostnames to scan-T,-- timeout [seconds] Timeout per connect after which ssh_scan gives up on the host-L,-- logger [Log FilePath] Enable logger-O -- from_json [FilePath] File to read JSON output from-o,-- output [FilePath] File to write JSON output to-p,-- port [PORT] Port (Default: 22)-P -- policy [FILE] Custom policy file (Default: Mozilla Modern)-- threads [NUMBER] Number of worker threads (Default: 5)-- fingerprint-db [FILE] File location of fingerprint database (Default:. / fingerprints.db)-suppress-update-status Do not check for updates-u,-- unit-test [FILE] Throw appropriate exit codes based on compliance status-V [STD_LOGGING_LEVEL],-- verbosity-v -version Display just version info-h -help Show this message Examples: ssh_scan-t 192.168.1.1 ssh_scan-t server.example.com ssh_scan-t:: 1 ssh_scan-t:: 1-T 5 ssh_scan-f hosts.txt ssh_scan-o output.json ssh_scan-O output.json-o rescan_output.json ssh_scan-t 192.168.1.1-p 22222 ssh_scan-t 192.168.1.1- P 22222-L output.log-V INFO ssh_scan-t 192.168.1.1-P custom_policy.yml ssh_scan-t 192.168.1.1-- unit-test-P custom_policy.yml is all the content of the article "how ssh_scan in linux remotely verifies the configuration and policy of SSH services" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.