Scan SSH servers for issues

So you think SSH is secure? Maybe not if you have a flawed config... 
But I have a solution! Meet Mozilla's ssh_scan!

Mozilla provides a free scanner for SSH, which will quickly give you a grade and recommendations on how to improve your setup. The scanner needs to be downloaded and installed, either manually or using Docker, and I will show you how! The results will be output in JSON but it’s still very human-readable.

The scanner can be found on Mozilla’s GitHub at https://github.com/mozilla/ssh_scan.

Installing the scanner with Docker

The easiest method if you already have Docker installed is to pull and run the official container!

sudo docker pull mozilla/ssh_scan
sudo docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t sshscan.rubidus.com

Of course, you need to replace sshscan.rubidus.com with your target server.

Installing the scanner as a Ruby gem

If you don’t want to use Docker, you can easily install the scanner as a Ruby gem! Of course this requires you to have Ruby installed.

On a Debian based system, like Ubuntu, you’ll first want to install Ruby:

sudo apt update; sudo apt install -y ruby

And then you’ll want to install the ssh_scan gem:

sudo gem install ssh_scan

Now it can be used like any other command, by simply running ssh_scan like this:

ssh_scan -t sshscan.rubidus.com

Of course, you need to replace sshscan.rubidus.com with your target server.

Using the scanner

Depending on how you installed the scanner, you’ll want to call ssh_scan with a target server as shown above. In our example, the output of the scanner will look something like this (it’s JSON):

[
  {
    "ssh_scan_version": "0.0.42",
    "ip": "45.55.176.164",
    "hostname": "sshscan.rubidus.com",
    "port": 22,
    "server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2",
    "ssh_version": 2.0,
    "os": "ubuntu",
    "os_cpe": "o:canonical:ubuntu:16.04",
    "ssh_lib": "openssh",
    "ssh_lib_cpe": "a:openssh:openssh:7.2p2",
    "key_algorithms": [
      "[email protected]",
      "ecdh-sha2-nistp521",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp256",
      "diffie-hellman-group-exchange-sha256"
    ],
    "encryption_algorithms_client_to_server": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "aes256-ctr",
      "aes192-ctr",
      "aes128-ctr"
    ],
    "encryption_algorithms_server_to_client": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "aes256-ctr",
      "aes192-ctr",
      "aes128-ctr"
    ],
    "mac_algorithms_client_to_server": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-512",
      "hmac-sha2-256",
      "[email protected]"
    ],
    "mac_algorithms_server_to_client": [
      "[email protected]",
      "[email protected]",
      "[email protected]",
      "hmac-sha2-512",
      "hmac-sha2-256",
      "[email protected]"
    ],
    "compression_algorithms_client_to_server": [
      "none",
      "[email protected]"
    ],
    "compression_algorithms_server_to_client": [
      "none",
      "[email protected]"
    ],
    "languages_client_to_server": [

    ],
    "languages_server_to_client": [

    ],
    "auth_methods": [
      "publickey"
    ],
    "keys": {
      "ed25519": {
        "raw": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGeWZMs7O0ZeodunvgmGMS+ePQgKP7NMyBtKqlN6eC0u",
        "length": 256,
        "fingerprints": {
          "md5": "0e:9f:97:4f:31:5f:2a:9d:ff:66:6d:58:e0:1c:b9:9c",
          "sha1": "24:b1:44:8c:52:8b:17:88:22:78:b2:2e:5f:78:c1:2f:92:e6:37:8a",
          "sha256": "e2:aa:06:9e:3f:70:ba:af:fb:87:72:12:2f:16:d0:87:fe:ac:94:ae:ee:ff:39:4a:6a:0b:8f:8f:99:44:b0:11"
        }
      },
      "rsa": {
        "raw": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNbthXwQNOFIZibgkxePmjcT064tOwGGvMW1XdvwvJXKpq0gCgjVH6MHVWV7P5uItngcD5kivIe0BjyAg6VQIzY0F620j1p60GOAUknxhsLXUcwu1G4PP19BG4q+rDTcjW9167wrDaX6fKLsEUmNA/OhV+jz8UNcy/gL91rTa0HI9txsdMI+IpFkZ3dHyN5aB5C1VqVdZffw4dzIUxN92zYANeRhc+xOgvj5uj5NpJS2O426N6Rr4+fC/n57ajWCfaqKPHaivfrXaXVOY/TAxeTn1AEELy1K7VxvEbGxasKf+oJn2BF3rAwoFPVNFfZmdK4fWygKLiWZnY8UfAohTp",
        "length": 2048,
        "fingerprints": {
          "md5": "4f:17:6e:38:63:0c:af:1c:f4:97:4f:ab:04:b4:47:a0",
          "sha1": "8c:71:d0:85:e5:2e:4c:24:34:4b:97:0a:af:37:f4:09:41:8d:ae:6d",
          "sha256": "b5:b1:f8:2f:99:4e:88:bc:9d:6c:81:2b:9f:1c:db:44:2d:dd:e5:66:cb:49:bf:7e:e1:1a:a2:5f:d1:39:d2:16"
        }
      },
      "ecdsa-sha2-nistp256": {
        "raw": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE9uN+95t6GHIijxRr0WsQm2EIBkZA1frLlHJhzRXDYFQNxnXTtuEdsqMhPk9PQp+HHgaMlXWO/eDNGjXjBD34g=",
        "length": 520,
        "fingerprints": {
          "md5": "13:4a:a6:10:7a:4b:45:ab:8c:a0:f8:be:c8:e9:7b:1e",
          "sha1": "ca:cc:8e:28:35:df:53:5d:9b:ff:ab:70:a3:ec:d4:d9:e9:b7:68:a3",
          "sha256": "ab:7c:04:f2:18:c1:3a:03:d3:0b:ff:1d:7f:cb:47:d5:93:45:21:65:b9:1f:9c:56:26:ea:cd:40:36:8f:ce:3f"
        }
      }
    },
    "dns_keys": [

    ],
    "duplicate_host_key_ips": [

    ],
    "compliance": {
      "policy": "Mozilla Modern",
      "compliant": true,
      "recommendations": [

      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ],
      "grade": "A"
    },
    "start_time": "2019-11-28 04:11:22 +0100",
    "end_time": "2019-11-28 04:11:24 +0100",
    "scan_duration_seconds": 2.549327383
  }
]

What you’ll want to be looking at first, is the server’s grade at the bottom. In this case, the target server is graded with an “A”. The second thing you’ll want to look at are the recommendations above the grade. In this case, the list of recommendations is empty as the scanner did not find any issues.

On a server graded with C, the relevant bottom part might look like this:

"compliance": {
      "policy": "Mozilla Modern",
      "compliant": false,
      "recommendations": [
        "Remove these key exchange algorithms: diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1",
        "Remove these MAC algorithms: [email protected], [email protected], [email protected], hmac-sha1"
      ],
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ],
      "grade": "C"
    },
    "start_time": "2019-11-28 04:18:21 +0100",
    "end_time": "2019-11-28 04:18:22 +0100",
    "scan_duration_seconds": 0.87183717
  }

As you can see the server is graded “C” as there are issues. This time the list of recommendations is not empty, and instead lists weak key exchange algorithms and MAC algorithms that you should remove.

Fixing issues

Follow the recommendations stated in the scanner’s result. To get overall info on how to harden your OpenSSH config, check Mozilla’s guidelines found at https://infosec.mozilla.org/guidelines/openssh!

Conclusion

Yet again an easy way to scan and harden one of your services! Go ahead and scan your servers! 😀

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.