ssh_scan - pārbauda jūsu SSH servera konfigurāciju un politiku Linux
ssh_scan ir viegli lietojams SSH konfigurācijas un politikas skenera prototips Linux un UNIX serveriem, iedvesmojoties no Mozilla OpenSSH drošības rokasgrāmatas, kurā sniegts saprātīgs pamata politikas ieteikums par SSH konfigurācijas parametriem, piemēram, Ciphers, MAC un KexAlgos un daudz ko citu.
Tam ir dažas no šīm priekšrocībām:
- Tam ir minimālas atkarības, ssh_scan izmanto tikai vietējos Ruby un BinData, lai veiktu savu darbu, bez smagām atkarībām.
- Tas ir pārnēsājams, ssh_scan varat izmantot citā projektā vai uzdevumu automatizēšanai.
- To ir viegli izmantot, vienkārši norādiet uz SSH pakalpojumu un saņemiet JSON ziņojumu par to, ko tas atbalsta, un tā statusu.
- Tas ir arī konfigurējams, jūs varat izveidot savas pielāgotās politikas, kas atbilst jūsu konkrētajām politikas prasībām.
Kā instalēt ssh_scan Linux
Ir trīs veidi, kā varat instalēt ssh_scan, un tie ir:
Lai instalētu un palaistu kā dārgakmens, ierakstiet:
----------- On Debian/Ubuntu ----------- $ sudo apt-get install ruby gem $ sudo gem install ssh_scan ----------- On CentOS/RHEL ----------- # yum install ruby rubygem # gem install ssh_scan
Lai palaistu no dokstacijas konteinera, ierakstiet:
# docker pull mozilla/ssh_scan # docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com
Lai instalētu un palaistu no avota, ierakstiet:
# git clone https://github.com/mozilla/ssh_scan.git # cd ssh_scan # gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 # curl -sSL https://get.rvm.io | bash -s stable # rvm install 2.3.1 # rvm use 2.3.1 # gem install bundler # bundle install # ./bin/ssh_scan
Kā ssh_scan izmantot Linux
Ssh_scan izmantošanas sintakse ir šāda:
$ ssh_scan -t ip-address $ ssh_scan -t server-hostname
Piemēram, lai skenētu SSH konfigurācijas un servera 92.168.43.198 politiku, ievadiet:
$ ssh_scan -t 192.168.43.198
Ņemiet vērā, ka varat arī pārsūtīt [IP/Range/Hostname] opcijai -t
, kā parādīts zemāk esošajās opcijās:
$ ssh_scan -t 192.168.43.198,200,205 $ ssh_scan -t test.tecmint.lan
I, [2017-05-09T10:36:17.913644 #7145] INFO -- : You're using the latest version of ssh_scan 0.0.19 [ { "ssh_scan_version": "0.0.19", "ip": "192.168.43.198", "port": 22, "server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1", "ssh_version": 2.0, "os": "ubuntu", "os_cpe": "o:canonical:ubuntu:16.04", "ssh_lib": "openssh", "ssh_lib_cpe": "a:openssh:openssh:7.2p2", "cookie": "68b17bcca652eeaf153ed18877770a38", "key_algorithms": [ "[email ", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha1" ], "server_host_key_algorithms": [ "ssh-rsa", "rsa-sha2-512", "rsa-sha2-256", "ecdsa-sha2-nistp256", "ssh-ed25519" ], "encryption_algorithms_client_to_server": [ "[email ", "aes128-ctr", "aes192-ctr", "aes256-ctr", "[email ", "[email " ], "encryption_algorithms_server_to_client": [ "[email ", "aes128-ctr", "aes192-ctr", "aes256-ctr", "[email ", "[email " ], "mac_algorithms_client_to_server": [ "[email ", "[email ", "[email ", "[email ", "[email ", "[email ", "[email ", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "mac_algorithms_server_to_client": [ "[email ", "[email ", "[email ", "[email ", "[email ", "[email ", "[email ", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "compression_algorithms_client_to_server": [ "none", "[email " ], "compression_algorithms_server_to_client": [ "none", "[email " ], "languages_client_to_server": [ ], "languages_server_to_client": [ ], "hostname": "tecmint", "auth_methods": [ "publickey", "password" ], "fingerprints": { "rsa": { "known_bad": "false", "md5": "0e:d0:d7:11:f0:9b:f8:33:9c:ab:26:77:e5:66:9e:f4", "sha1": "fc:8d:d5:a1:bf:52:48:a6:7e:f9:a6:2f:af:ca:e2:f0:3a:9a:b7:fa", "sha256": "ff:00:b4:a4:40:05:19:27:7c:33:aa:db:a6:96:32:88:8e:bf:05:a1:81:c0:a4:a8:16:01:01:0b:20:37:81:11" } }, "start_time": "2017-05-09 10:36:17 +0300", "end_time": "2017-05-09 10:36:18 +0300", "scan_duration_seconds": 0.221573169, "duplicate_host_key_ips": [ ], "compliance": { "policy": "Mozilla Modern", "compliant": false, "recommendations": [ "Remove these Key Exchange Algos: diffie-hellman-group14-sha1", "Remove these MAC Algos: [email , [email , [email , hmac-sha1", "Remove these Authentication Methods: password" ], "references": [ "https://wiki.mozilla.org/Security/Guidelines/OpenSSH" ] } } ]
Varat izmantot -p
, lai norādītu citu portu, -L
, lai iespējotu reģistrētāju, un -V
, lai noteiktu daudzbalsības līmeni, kā parādīts zemāk:
$ ssh_scan -t 192.168.43.198 -p 22222 -L ssh-scan.log -V INFO
Turklāt izmantojiet pielāgotu politikas failu (noklusējums ir Mozilla Modern) ar -P
vai --policy [FILE]
šādi:
$ ssh_scan -t 192.168.43.198 -L ssh-scan.log -V INFO -P /path/to/custom/policy/file
Ierakstiet šo, lai skatītu visas ssh_scan lietošanas iespējas un citus piemērus:
$ ssh_scan -h
ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan) Usage: ssh_scan [options] -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan -f, --file [FilePath] File Path of the file containing IP/Range/Hostnames to scan -T, --timeout [seconds] Timeout per connect after which ssh_scan gives up on the host -L, --logger [Log File Path] Enable logger -O, --from_json [FilePath] File to read JSON output from -o, --output [FilePath] File to write JSON output to -p, --port [PORT] Port (Default: 22) -P, --policy [FILE] Custom policy file (Default: Mozilla Modern) --threads [NUMBER] Number of worker threads (Default: 5) --fingerprint-db [FILE] File location of fingerprint database (Default: ./fingerprints.db) --suppress-update-status Do not check for updates -u, --unit-test [FILE] Throw appropriate exit codes based on compliance status -V [STD_LOGGING_LEVEL], --verbosity -v, --version Display just version info -h, --help Show this message Examples: ssh_scan -t 192.168.1.1 ssh_scan -t server.example.com ssh_scan -t ::1 ssh_scan -t ::1 -T 5 ssh_scan -f hosts.txt ssh_scan -o output.json ssh_scan -O output.json -o rescan_output.json ssh_scan -t 192.168.1.1 -p 22222 ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO ssh_scan -t 192.168.1.1 -P custom_policy.yml ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
Pārbaudiet dažas noderīgas artilces SSH Server:
- Pieteikšanās ar SSH bez paroles, izmantojot 5 vienkāršus soļus, izmantojot SSH Keygen
- 5 labākās prakses SSH servera drošībai
- Ierobežojiet SSH lietotāja piekļuvi noteiktam direktorijam, izmantojot ieslodzīto cietumu
- Kā konfigurēt pielāgotus SSH savienojumus, lai vienkāršotu attālo piekļuvi
Lai iegūtu sīkāku informāciju, apmeklējiet ssh_scan Github repozitoriju: https://github.com/mozilla/ssh_scan
Šajā rakstā mēs parādījām, kā Linux iestatīt un izmantot ssh_scan. Vai jūs zināt kādus līdzīgus rīkus? Informējiet mūs, izmantojot tālāk sniegto atsauksmju veidlapu, iekļaujot visas citas domas par šo ceļvedi.