So you think SSH is secure? Maybe not if you have a flawed config...
But I have a solution! Meet Mozilla's ssh_scan!
Mozilla provides a free scanner for SSH, which will quickly give you a grade and recommendations on how to improve your setup. The scanner needs to be downloaded and installed, either manually or using Docker, and I will show you how! The results will be output in JSON but it’s still very human-readable.
The scanner can be found on Mozilla’s GitHub at https://github.com/mozilla/ssh_scan.
Installing the scanner with Docker
The easiest method if you already have Docker installed is to pull and run the official container!
sudo docker pull mozilla/ssh_scan sudo docker run --rm -t mozilla/ssh_scan /app/bin/ssh_scan -t sshscan.rubidus.com
Of course, you need to replace sshscan.rubidus.com with your target server.
Note that on Windows and Mac (using Docker desktop), sudo is not required.
Installing the scanner as a Ruby gem
If you don’t want to use Docker, you can easily install the scanner as a Ruby gem! Of course this requires you to have Ruby installed.
On a Debian based system, like Ubuntu, you’ll first want to install Ruby:
sudo apt update; sudo apt install -y ruby
And then you’ll want to install the ssh_scan gem:
sudo gem install ssh_scan
Now it can be used like any other command, by simply running ssh_scan like this:
ssh_scan -t sshscan.rubidus.com
Of course, you need to replace sshscan.rubidus.com with your target server.
Using the scanner
Depending on how you installed the scanner, you’ll want to call ssh_scan with a target server as shown above. In our example, the output of the scanner will look something like this (it’s JSON):
[
{
"ssh_scan_version": "0.0.42",
"ip": "45.55.176.164",
"hostname": "sshscan.rubidus.com",
"port": 22,
"server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2",
"ssh_version": 2.0,
"os": "ubuntu",
"os_cpe": "o:canonical:ubuntu:16.04",
"ssh_lib": "openssh",
"ssh_lib_cpe": "a:openssh:openssh:7.2p2",
"key_algorithms": [
"[email protected]",
"ecdh-sha2-nistp521",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp256",
"diffie-hellman-group-exchange-sha256"
],
"encryption_algorithms_client_to_server": [
"[email protected]",
"[email protected]",
"[email protected]",
"aes256-ctr",
"aes192-ctr",
"aes128-ctr"
],
"encryption_algorithms_server_to_client": [
"[email protected]",
"[email protected]",
"[email protected]",
"aes256-ctr",
"aes192-ctr",
"aes128-ctr"
],
"mac_algorithms_client_to_server": [
"[email protected]",
"[email protected]",
"[email protected]",
"hmac-sha2-512",
"hmac-sha2-256",
"[email protected]"
],
"mac_algorithms_server_to_client": [
"[email protected]",
"[email protected]",
"[email protected]",
"hmac-sha2-512",
"hmac-sha2-256",
"[email protected]"
],
"compression_algorithms_client_to_server": [
"none",
"[email protected]"
],
"compression_algorithms_server_to_client": [
"none",
"[email protected]"
],
"languages_client_to_server": [
],
"languages_server_to_client": [
],
"auth_methods": [
"publickey"
],
"keys": {
"ed25519": {
"raw": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGeWZMs7O0ZeodunvgmGMS+ePQgKP7NMyBtKqlN6eC0u",
"length": 256,
"fingerprints": {
"md5": "0e:9f:97:4f:31:5f:2a:9d:ff:66:6d:58:e0:1c:b9:9c",
"sha1": "24:b1:44:8c:52:8b:17:88:22:78:b2:2e:5f:78:c1:2f:92:e6:37:8a",
"sha256": "e2:aa:06:9e:3f:70:ba:af:fb:87:72:12:2f:16:d0:87:fe:ac:94:ae:ee:ff:39:4a:6a:0b:8f:8f:99:44:b0:11"
}
},
"rsa": {
"raw": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNbthXwQNOFIZibgkxePmjcT064tOwGGvMW1XdvwvJXKpq0gCgjVH6MHVWV7P5uItngcD5kivIe0BjyAg6VQIzY0F620j1p60GOAUknxhsLXUcwu1G4PP19BG4q+rDTcjW9167wrDaX6fKLsEUmNA/OhV+jz8UNcy/gL91rTa0HI9txsdMI+IpFkZ3dHyN5aB5C1VqVdZffw4dzIUxN92zYANeRhc+xOgvj5uj5NpJS2O426N6Rr4+fC/n57ajWCfaqKPHaivfrXaXVOY/TAxeTn1AEELy1K7VxvEbGxasKf+oJn2BF3rAwoFPVNFfZmdK4fWygKLiWZnY8UfAohTp",
"length": 2048,
"fingerprints": {
"md5": "4f:17:6e:38:63:0c:af:1c:f4:97:4f:ab:04:b4:47:a0",
"sha1": "8c:71:d0:85:e5:2e:4c:24:34:4b:97:0a:af:37:f4:09:41:8d:ae:6d",
"sha256": "b5:b1:f8:2f:99:4e:88:bc:9d:6c:81:2b:9f:1c:db:44:2d:dd:e5:66:cb:49:bf:7e:e1:1a:a2:5f:d1:39:d2:16"
}
},
"ecdsa-sha2-nistp256": {
"raw": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE9uN+95t6GHIijxRr0WsQm2EIBkZA1frLlHJhzRXDYFQNxnXTtuEdsqMhPk9PQp+HHgaMlXWO/eDNGjXjBD34g=",
"length": 520,
"fingerprints": {
"md5": "13:4a:a6:10:7a:4b:45:ab:8c:a0:f8:be:c8:e9:7b:1e",
"sha1": "ca:cc:8e:28:35:df:53:5d:9b:ff:ab:70:a3:ec:d4:d9:e9:b7:68:a3",
"sha256": "ab:7c:04:f2:18:c1:3a:03:d3:0b:ff:1d:7f:cb:47:d5:93:45:21:65:b9:1f:9c:56:26:ea:cd:40:36:8f:ce:3f"
}
}
},
"dns_keys": [
],
"duplicate_host_key_ips": [
],
"compliance": {
"policy": "Mozilla Modern",
"compliant": true,
"recommendations": [
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
],
"grade": "A"
},
"start_time": "2019-11-28 04:11:22 +0100",
"end_time": "2019-11-28 04:11:24 +0100",
"scan_duration_seconds": 2.549327383
}
]
What you’ll want to be looking at first, is the server’s grade at the bottom. In this case, the target server is graded with an “A”. The second thing you’ll want to look at are the recommendations above the grade. In this case, the list of recommendations is empty as the scanner did not find any issues.
On a server graded with C, the relevant bottom part might look like this:
"compliance": {
"policy": "Mozilla Modern",
"compliant": false,
"recommendations": [
"Remove these key exchange algorithms: diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1",
"Remove these MAC algorithms: [email protected], [email protected], [email protected], hmac-sha1"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
],
"grade": "C"
},
"start_time": "2019-11-28 04:18:21 +0100",
"end_time": "2019-11-28 04:18:22 +0100",
"scan_duration_seconds": 0.87183717
}
As you can see the server is graded “C” as there are issues. This time the list of recommendations is not empty, and instead lists weak key exchange algorithms and MAC algorithms that you should remove.
Fixing issues
Follow the recommendations stated in the scanner’s result. To get overall info on how to harden your OpenSSH config, check Mozilla’s guidelines found at https://infosec.mozilla.org/guidelines/openssh!
Conclusion
Yet again an easy way to scan and harden one of your services! Go ahead and scan your servers! :D
Leave A Comment