ssh-audit 工具支持SSH1和SSH2協議,通過掃描服務器上SSH服務,可以收集SSH連接各個階段所使用的算法,並對這些算法進行分析,提示現有算法和服務版本所關聯的漏洞信息,並提供加強的算法推薦設置。
Install
fedora 31
or RHEL/CentOS 8
可直接通過 pip install ssh-audit
安裝;
也可通過github
下載 ssh-audit 到本地執行;
# ssh-audit -h
# ssh-audit v2.1.1, https://github.com/jtesta/ssh-audit
usage: ssh-audit [-1246pbcnjvlt] <host>
-h, --help print this help
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-p, --port=<port> port to connect
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n, --no-colors disable colors
-j, --json JSON output
-v, --verbose verbose output
-l, --level=<level> minimum output level (info|warn|fail)
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
Audit
# ssh-audit 127.0.0.1
根據algorithm recommendations
建議移除弱相應的算法, 以下是sshd_config
推薦配置:
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
當前使用系統爲 fedora 31 & centos 8
, fedora & rhel/centos
, OpenSSH 加密算法配置依賴系統加密默認策略 /etc/crypto-policies/back-ends/opensshserver.config
, 需同步修改此配置纔可以生效,以下是opensshserver.config
修改後配置:
# cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphers=aes192-ctr,[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr [email protected],[email protected],[email protected] -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected]'
重啓sshd
服務 & 重新運行 ssh-audit
查看當前ssh已爲安全加密算法:
# systemctl restart sshd
# ssh-audit 127.0.0.1
注:
/etc/crypto-policies/back-ends/opensshserver.config
實際爲 crypto-policies
DEFAULT 軟鏈接:
# ls /etc/crypto-policies/back-ends/opensshserver.config -l
lrwxrwxrwx. 1 root root 52 Dec 18 11:08 /etc/crypto-policies/back-ends/opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
# update-crypto-policies --show
DEFAULT
Reference
ssh-audit
man crypto-policies
man update-crypto-policies