ssh_scan: A SSH configuration and policy scanner for Linux and UNIX server

Posted on in Categories Security last updated April 26, 2017

The SSH (“Secure Shell”) protocol is a method for secure remote login from one system to another. Sysadmins and users use a secure channel over an unsecured network in a client-server architecture format for connecting an SSH client with an SSH server. Security ssh server is an important task. There is a tool called ssh_scan from Mozilla which act as a prototype SSH configuration and policy scanner for your SSHD.

Benefits of ssh_scan

From the project home page:

  1. Minimal Dependancies – Uses native Ruby and BinData to do its work, no heavy dependancies.
  2. Not Just a Script – Implementation is portable for use in another project or for automation of tasks.
  3. Simple – Just point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.
  4. Configurable – Make your own custom policies that fit your unique policy requirements.

Install dependancies

Type the following apt-get command/apt command to install ruby and gem on Debian/Ubuntu Linux:
$ sudo apt-get install ruby gem
Sample outputs:

Fig.01: Install ruby and gem
Fig.01: Install ruby and gem

Install ssh_scan

Type the following command to install ssh_scan as a gem:
$ sudo gem install ssh_scan
Sample outputs:

Fig.02: Installing  ssh_scan using a gem
Fig.02: Installing ssh_scan using a gem

How do I use ssh_scan?

The syntax is:
$ ssh_scan -t ip
$ ssh_scan -t server
$ ssh_scan -t server1.cyberciti.biz

For example scan a ssh server installed at 192.168.2.15, enter:
$ ssh_scan -t 192.168.2.15
Sample outputs:

I, [2017-04-25T16:12:11.019160 #32317]  INFO -- : You're using the latest version of ssh_scan 0.0.19
[
  {
    "ssh_scan_version": "0.0.19",
    "ip": "192.168.2.15",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_7.4p1 Ubuntu-10",
    "ssh_version": 2.0,
    "os": "ubuntu",
    "os_cpe": "o:canonical:ubuntu",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:7.4p1",
    "cookie": "82d7cc908765f03154b10d5cdf14195a",
    "key_algorithms": [
      "curve25519-sha256",
      "[email protected]",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group14-sha1"
    ],
    "server_host_key_algorithms": [
      "ssh-rsa",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ssh-ed25519"
    ],
    "encryption_algorithms_client_to_server": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "encryption_algorithms_server_to_client": [
      "[email protected]",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "[email protected]",
      "[email protected]"
    ],
    "mac_algorithms_client_to_server": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "mac_algorithms_server_to_client": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "[email protected]"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "[email protected]"
    ],
    "languages_client_to_server": [

    ],
    "languages_server_to_client": [

    ],
    "hostname": "m6700",
    "auth_methods": [
      "publickey",
      "password"
    ],
    "fingerprints": {
      "rsa": {
        "known_bad": "false",
        "md5": "1d:14:84:f0:c7:21:10:0e:30:d9:f9:59:6b:c3:95:97",
        "sha1": "70:ac:7c:2c:94:54:aa:09:f2:58:f3:48:f0:9e:f2:a0:a2:37:f1:0a",
        "sha256": "6d:d8:20:c6:8e:e7:db:0d:94:9d:34:66:ba:b7:9c:68:8a:ea:79:19:a6:0d:76:cc:ec:fe:82:21:68:a5:64:74"
      }
    },
    "start_time": "2017-04-25 16:12:11 +0000",
    "end_time": "2017-04-25 16:12:11 +0000",
    "scan_duration_seconds": 0.118730486,
    "duplicate_host_key_ips": [

    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Remove these Key Exchange Algos: curve25519-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1",
        "Remove these MAC Algos: [email protected], [email protected], [email protected], hmac-sha1",
        "Remove these Authentication Methods: password"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ]
    }
  }
]


To see all other options, enter:
$ ssh_scan -h
Sample outputs:

ssh_scan v0.0.19 (https://github.com/mozilla/ssh_scan)

Usage: ssh_scan [options]
    -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
    -f, --file [FilePath]            File Path of the file containing IP/Range/Hostnames to scan
    -T, --timeout [seconds]          Timeout per connect after which ssh_scan gives up on the host
    -L, --logger [Log File Path]     Enable logger
    -O, --from_json [FilePath]       File to read JSON output from
    -o, --output [FilePath]          File to write JSON output to
    -p, --port [PORT]                Port (Default: 22)
    -P, --policy [FILE]              Custom policy file (Default: Mozilla Modern)
        --threads [NUMBER]           Number of worker threads (Default: 5)
        --fingerprint-db [FILE]      File location of fingerprint database (Default: ./fingerprints.db)
        --suppress-update-status     Do not check for updates
    -u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status
    -V [STD_LOGGING_LEVEL],
        --verbosity
    -v, --version                    Display just version info
    -h, --help                       Show this message

Examples:

  ssh_scan -t 192.168.1.1
  ssh_scan -t server.example.com
  ssh_scan -t ::1
  ssh_scan -t ::1 -T 5
  ssh_scan -f hosts.txt
  ssh_scan -o output.json
  ssh_scan -O output.json -o rescan_output.json
  ssh_scan -t 192.168.1.1 -p 22222
  ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO
  ssh_scan -t 192.168.1.1 -P custom_policy.yml
  ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml

How do I secure and optimize my OpenSSH server?

  1. OpenSSH Security Best Practices
  2. For providing a sane baseline policy recommendation for SSH configuration parameters see this page

4 comment

  1. That’s pretty much the output one gets with the standard OpenSSH client and -vvvv, somewhat beautified. Not useless, but not all that useful.

Leave a Comment