SSH安全審計Tool - ssh-audit

ssh-audit 工具支持SSH1和SSH2協議，通過掃描服務器上SSH服務，可以收集SSH連接各個階段所使用的算法，並對這些算法進行分析，提示現有算法和服務版本所關聯的漏洞信息，並提供加強的算法推薦設置。

Install

fedora 31 or RHEL/CentOS 8可直接通過 pip install ssh-audit 安裝；
也可通過github下載 ssh-audit 到本地執行；

# ssh-audit -h
# ssh-audit v2.1.1, https://github.com/jtesta/ssh-audit

usage: ssh-audit [-1246pbcnjvlt] <host>

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -p,  --port=<port>      port to connect
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -n,  --no-colors        disable colors
   -j,  --json             JSON output
   -v,  --verbose          verbose output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)

Audit

# ssh-audit 127.0.0.1

根據algorithm recommendations建議移除弱相應的算法， 以下是sshd_config推薦配置：

Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

當前使用系統爲 fedora 31 & centos 8, fedora & rhel/centos, OpenSSH 加密算法配置依賴系統加密默認策略 /etc/crypto-policies/back-ends/opensshserver.config, 需同步修改此配置纔可以生效，以下是opensshserver.config修改後配置：

# cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphers=aes192-ctr,[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr [email protected],[email protected],[email protected] -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected]'

重啓sshd服務 & 重新運行 ssh-audit查看當前ssh已爲安全加密算法：

# systemctl restart sshd
# ssh-audit 127.0.0.1

注：
/etc/crypto-policies/back-ends/opensshserver.config 實際爲 crypto-policies DEFAULT 軟鏈接：

# ls  /etc/crypto-policies/back-ends/opensshserver.config -l
lrwxrwxrwx. 1 root root 52 Dec 18 11:08 /etc/crypto-policies/back-ends/opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
# update-crypto-policies --show
DEFAULT

Reference

ssh-audit
man crypto-policies
man update-crypto-policies