System Tutorial
LINUX
How to remotely verify SSH service configuration and policy through ssh_scan
How to remotely verify SSH service configuration and policy through ssh_scan
| Introduction | ssh_scan is an easy-to-use SSH service parameter configuration and policy scanner program for Linux and UNIX servers. Its ideas come from the Mozilla OpenSSH Security Guide. This guide provides a reliable security for SSH service parameter configuration. Recommendations for policy baselines, such as encryption algorithms (Ciphers), message authentication information code algorithms (MAC), key exchange algorithms (KexAlgos) and others. |
ssh_scan has the following benefits:
- Its dependencies are minimized, ssh_scan only introduces local Ruby and BinData to perform its work, without too many dependencies.
- It is portable, you can use ssh_scan in other projects or use it for automated tasks.
- It is easy to use, simply point it to an SSH service and get a JSON-formatted report of the options and policy status supported by the service.
- It is also easy to configure, so you can create a strategy that suits your strategic needs.
Recommended reading: How to install and configure the OpenSSH service on Linux
How to install ssh_scan on LinuxThere are three ways to install ssh_scan:
Use Ruby gem to install and run, as follows:
----------- 在 Debian/Ubuntu ----------- $ sudo apt-get install ruby gem $ sudo gem install ssh_scan ----------- 在 CentOS/RHEL ----------- # yum install ruby rubygem # gem install ssh_scan
Use docker container to run, as follows:
# docker pull mozilla/ssh_scan # docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com
Use the source code to install and run, as follows:
# git clone https://github.com/mozilla/ssh_scan.git # cd ssh_scan # gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 # curl -sSL https://get.rvm.io | bash -s stable # rvm install 2.3.1 # rvm use 2.3.1 # gem install bundler # bundle install # ./bin/ssh_scan
The syntax for using ssh_scan is as follows:
$ ssh_scan -t ip地址 $ ssh_scan -t 主机名
For example, to scan the SSH configuration and policy of this server 192.168.43.198, type:
$ ssh_scan -t 192.168.43.198
Note that you can also pass an [IP address/address range/host name] to the -t option as shown below:
$ ssh_scan -t 192.168.43.198,200,205 $ ssh_scan -t test.tecmint.lan
Output example:
I, [2017-05-09T10:36:17.913644 #7145] INFO -- : You're using the latest version of ssh_scan 0.0.19
[
{
"ssh_scan_version": "0.0.19",
"ip": "192.168.43.198",
"port": 22,
"server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1",
"ssh_version": 2.0,
"os": "ubuntu",
"os_cpe": "o:canonical:ubuntu:16.04",
"ssh_lib": "openssh",
"ssh_lib_cpe": "a:openssh:openssh:7.2p2",
"cookie": "68b17bcca652eeaf153ed18877770a38",
"key_algorithms": [
"[email protected]",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group14-sha1"
],
"server_host_key_algorithms": [
"ssh-rsa",
"rsa-sha2-512",
"rsa-sha2-256",
"ecdsa-sha2-nistp256",
"ssh-ed25519"
],
"encryption_algorithms_client_to_server": [
"[email protected]",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"[email protected]",
"[email protected]"
],
"encryption_algorithms_server_to_client": [
"[email protected]",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"[email protected]",
"[email protected]"
],
"mac_algorithms_client_to_server": [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"mac_algorithms_server_to_client": [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"compression_algorithms_client_to_server": [
"none",
"[email protected]"
],
"compression_algorithms_server_to_client": [
"none",
"[email protected]"
],
"languages_client_to_server": [
],
"languages_server_to_client": [
],
"hostname": "tecmint",
"auth_methods": [
"publickey",
"password"
],
"fingerprints": {
"rsa": {
"known_bad": "false",
"md5": "0e:d0:d7:11:f0:9b:f8:33:9c:ab:26:77:e5:66:9e:f4",
"sha1": "fc:8d:d5:a1:bf:52:48:a6:7e:f9:a6:2f:af:ca:e2:f0:3a:9a:b7:fa",
"sha256": "ff:00:b4:a4:40:05:19:27:7c:33:aa:db:a6:96:32:88:8e:bf:05:a1:81:c0:a4:a8:16:01:01:0b:20:37:81:11"
}
},
"start_time": "2017-05-09 10:36:17 +0300",
"end_time": "2017-05-09 10:36:18 +0300",
"scan_duration_seconds": 0.221573169,
"duplicate_host_key_ips": [
],
"compliance": {
"policy": "Mozilla Modern",
"compliant": false,
"recommendations": [
"Remove these Key Exchange Algos: diffie-hellman-group14-sha1",
"Remove these MAC Algos: [email protected], [email protected], [email protected], hmac-sha1",
"Remove these Authentication Methods: password"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
]
}
}
]
You can use the -p option to specify different ports, the -L option to enable logging, and the -V option to specify the log level:
$ ssh_scan -t 192.168.43.198 -p 22222 -L ssh-scan.log -V INFO
In addition, you can use the -P or --policy option to specify a policy file (the default is Mozilla Modern):
$ ssh_scan -t 192.168.43.198 -L ssh-scan.log -V INFO -P /path/to/custom/policy/file
ssh_scan usage help and other examples:
$ ssh_scan -h
Output example:
ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan) Usage: ssh_scan [options] -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan -f, --file [FilePath] File Path of the file containing IP/Range/Hostnames to scan -T, --timeout [seconds] Timeout per connect after which ssh_scan gives up on the host -L, --logger [Log File Path] Enable logger -O, --from_json [FilePath] File to read JSON output from -o, --output [FilePath] File to write JSON output to -p, --port [PORT] Port (Default: 22) -P, --policy [FILE] Custom policy file (Default: Mozilla Modern) --threads [NUMBER] Number of worker threads (Default: 5) --fingerprint-db [FILE] File location of fingerprint database (Default: ./fingerprints.db) --suppress-update-status Do not check for updates -u, --unit-test [FILE] Throw appropriate exit codes based on compliance status -V [STD_LOGGING_LEVEL], --verbosity -v, --version Display just version info -h, --help Show this message Examples: ssh_scan -t 192.168.1.1 ssh_scan -t server.example.com ssh_scan -t ::1 ssh_scan -t ::1 -T 5 ssh_scan -f hosts.txt ssh_scan -o output.json ssh_scan -O output.json -o rescan_output.json ssh_scan -t 192.168.1.1 -p 22222 ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO ssh_scan -t 192.168.1.1 -P custom_policy.yml ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
SSH server related reference reading:
- Use SSH Keygen (ssh-keygen) in five steps to implement SSH password-free login
- 5 Best Practices for a Secure SSH Server
- Use Chroot to restrict SSH users from entering certain directories
- How to configure an SSH connection to simplify remote login
The above is the detailed content of How to remotely verify SSH service configuration and policy through ssh_scan. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What computer configuration is required for vscode
Apr 15, 2025 pm 09:48 PM
VS Code system requirements: Operating system: Windows 10 and above, macOS 10.12 and above, Linux distribution processor: minimum 1.6 GHz, recommended 2.0 GHz and above memory: minimum 512 MB, recommended 4 GB and above storage space: minimum 250 MB, recommended 1 GB and above other requirements: stable network connection, Xorg/Wayland (Linux)
Linux Architecture: Unveiling the 5 Basic Components
Apr 20, 2025 am 12:04 AM
The five basic components of the Linux system are: 1. Kernel, 2. System library, 3. System utilities, 4. Graphical user interface, 5. Applications. The kernel manages hardware resources, the system library provides precompiled functions, system utilities are used for system management, the GUI provides visual interaction, and applications use these components to implement functions.
vscode terminal usage tutorial
Apr 15, 2025 pm 10:09 PM
vscode built-in terminal is a development tool that allows running commands and scripts within the editor to simplify the development process. How to use vscode terminal: Open the terminal with the shortcut key (Ctrl/Cmd). Enter a command or run the script. Use hotkeys (such as Ctrl L to clear the terminal). Change the working directory (such as the cd command). Advanced features include debug mode, automatic code snippet completion, and interactive command history.
How to check the warehouse address of git
Apr 17, 2025 pm 01:54 PM
To view the Git repository address, perform the following steps: 1. Open the command line and navigate to the repository directory; 2. Run the "git remote -v" command; 3. View the repository name in the output and its corresponding address.
Where to write code in vscode
Apr 15, 2025 pm 09:54 PM
Writing code in Visual Studio Code (VSCode) is simple and easy to use. Just install VSCode, create a project, select a language, create a file, write code, save and run it. The advantages of VSCode include cross-platform, free and open source, powerful features, rich extensions, and lightweight and fast.
How to run java code in notepad
Apr 16, 2025 pm 07:39 PM
Although Notepad cannot run Java code directly, it can be achieved by using other tools: using the command line compiler (javac) to generate a bytecode file (filename.class). Use the Java interpreter (java) to interpret bytecode, execute the code, and output the result.
What is the main purpose of Linux?
Apr 16, 2025 am 12:19 AM
The main uses of Linux include: 1. Server operating system, 2. Embedded system, 3. Desktop operating system, 4. Development and testing environment. Linux excels in these areas, providing stability, security and efficient development tools.
How to run sublime after writing the code
Apr 16, 2025 am 08:51 AM
There are six ways to run code in Sublime: through hotkeys, menus, build systems, command lines, set default build systems, and custom build commands, and run individual files/projects by right-clicking on projects/files. The build system availability depends on the installation of Sublime Text.
