ssh_scan: A Prototype SSH configuration and policy scanner for Linux

openSSH stands for Secure Shell is an evergreen tool to connect remote Linux server securely. Security is one of the major task for Linux administrator that to two types, application & server level security.

We have written many articles about ssh and its security, today also we are going to discuss about ssh security with help of ssh_scan application. By default ssh configuration enable vast of security options which already provide good security but still you can secure more option based on your environment and requirement.

Suggested Read : How to Access Secure Shell (SSH) Servers Through Standard Web Browsers

What’s ssh_scan ?

ssh_scan is a prototype SSH configuration and policy scanner for Linux and UNIX servers, which will scan destination host and tells you list of configured options. Also recommends possible policy, Algorithms and configuration parameters such as KexAlgorithms, Ciphers, MACs & sandbox, etc.,

Suggested Read : PSSH – Execute Commands on Multiple Linux Servers in Parallel

ssh_scan is a free and opensource application inspired by Mozilla openssh security guidelines.

Suggested Read : rtop – A Nifty Tool to Monitor Remote Server Over SSH

Additional key benefits for ssh_scan

  • It Uses native Ruby and BinData to scan the system and requires very minimal dependencies.
  • It’s not just a script and portable application which can be used in another project or for automation of tasks.
  • Simple point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.
  • Highly configurable so we can custom our own policies that fit our unique policy requirements.

Suggested Read : Mosh (Mobile Shell) – Best Alternative for SSH to Connect Remote System

How to install ssh_scan in Linux ?

There is no official distribution package for ssh_scan but we can easily install ssh_scan on Linux through gem as well as source package.

To install and run as a gem, type:

For Debian/Ubuntu :

$ sudo apt-get install ruby gem
$ sudo gem install ssh_scan

For CentOS/RHEL :

$ sudo yum install ruby gem
$ sudo gem install ssh_scan

For Fedora :

$ sudo dnf install ruby gem
$ sudo gem install ssh_scan

For Arch Linux :

$ sudo pacman -S ruby gem
$ sudo gem install ssh_scan

For openSUSE :

$ sudo zypper install ruby gem
$ sudo gem install ssh_scan

To run from a docker container, type:

# docker pull mozilla/ssh_scan
# docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com

To install and run from source, type:

# git clone https://github.com/mozilla/ssh_scan.git && cd ssh_scan
# gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
# curl -sSL https://get.rvm.io | bash -s stable
# rvm install 2.3.1
# rvm use 2.3.1
# gem install bundler
# bundle install
# ./bin/ssh_scan

How to use ssh_scan ?

There is no difficulty to use ssh_scan since it uses simple syntax.

common syntax for ssh_scan

$ ssh_scan -t IP or IP Range
$ ssh_scan -t Hostname
$ ssh_scan -f hosts.txt
$ ssh_scan -t IP -p 2200

To scan SSH configuration and policy of server 192.168.1.100.

$ sudo ssh_scan -t 192.168.1.100
[
  {
    "ssh_scan_version": "0.0.20",
    "ip": "192.168.1.100",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_6.6.1",
    "ssh_version": 2.0,
    "os": "unknown",
    "os_cpe": "o:unknown",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:6.6.1",
    "cookie": "cfc96dee8182b2e4f18e976900d86f8a",
    "key_algorithms": [
      "[email protected]",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group-exchange-sha1",
      "diffie-hellman-group14-sha1",
      "diffie-hellman-group1-sha1"
    ],
    "server_host_key_algorithms": [
      "ssh-rsa",
      "ecdsa-sha2-nistp256"
    ],
    "encryption_algorithms_client_to_server": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "arcfour256",
      "arcfour128",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "aes128-cbc",
      "3des-cbc",
      "blowfish-cbc",
      "cast128-cbc",
      "aes192-cbc",
      "aes256-cbc",
      "arcfour",
      "[email protected]"
    ],
    "encryption_algorithms_server_to_client": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "arcfour256",
      "arcfour128",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "aes128-cbc",
      "3des-cbc",
      "blowfish-cbc",
      "cast128-cbc",
      "aes192-cbc",
      "aes256-cbc",
      "arcfour",
      "[email protected]"
    ],
    "mac_algorithms_client_to_server": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-md5",
      "hmac-sha1",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-ripemd160",
      "[email protected]",
      "hmac-sha1-96",
      "hmac-md5-96"
    ],
    "mac_algorithms_server_to_client": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-md5",
      "hmac-sha1",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-ripemd160",
      "[email protected]",
      "hmac-sha1-96",
      "hmac-md5-96"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "[email protected]"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "[email protected]"
    ],
    "languages_client_to_server": [

    ],
    "languages_server_to_client": [

    ],
    "hostname": "100.ip-192-168-1.net",
    "auth_methods": [
      "publickey",
      "gssapi-keyex",
      "gssapi-with-mic",
      "password"
    ],
    "fingerprints": {
      "rsa": {
        "known_bad": "false",
        "md5": "ca:fc:0e:90:e0:91:dc:f3:47:63:8f:27:8c:f7:1e:a2",
        "sha1": "19:60:a2:2e:72:d7:01:32:fa:a8:8f:ae:6c:d3:b1:2c:b3:26:47:a9",
        "sha256": "b4:96:56:a9:26:62:09:12:8c:43:d5:cc:96:4b:d2:4f:1b:0d:64:67:f9:07:4c:50:1f:c2:49:d3:c2:3e:83:f4"
      }
    },
    "start_time": "2017-05-18 15:40:50 +0530",
    "end_time": "2017-05-18 15:40:54 +0530",
    "scan_duration_seconds": 4.246350176,
    "duplicate_host_key_ips": [

    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Remove these Key Exchange Algos: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
        "Remove these MAC Algos: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], hmac-md5, hmac-sha1, [email protected], hmac-ripemd160, [email protected], hmac-sha1-96, hmac-md5-96",
        "Remove these Encryption Ciphers: arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, [email protected]",
        "Remove these Authentication Methods: gssapi-keyex, gssapi-with-mic, password"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    }
  }
]

Additionally you can pass more than one IP in single shot.

$ ssh_scan -t 192.168.1.100,101,102

Also you can pass host name instead of IP address.

$ ssh_scan -t server.2daygeek.com

To get input from file.

$ ssh_scan -f hosts.txt

To scan non standard port ssh server.

$ ssh_scan -t 192.168.1.100 -p 2200

To view more options about ssh_scan.

$ ssh_scan -h

Leave a Reply

Your email address will not be published. Required fields are marked *