SSH安全审计Tool - ssh-audit

ssh-audit 工具支持SSH1和SSH2协议，通过扫描服务器上SSH服务，可以收集SSH连接各个阶段所使用的算法，并对这些算法进行分析，提示现有算法和服务版本所关联的漏洞信息，并提供加强的算法推荐设置。

Install

fedora 31 or RHEL/CentOS 8可直接通过 pip install ssh-audit 安装；
也可通过github下载 ssh-audit 到本地执行；

# ssh-audit -h
# ssh-audit v2.1.1, https://github.com/jtesta/ssh-audit

usage: ssh-audit [-1246pbcnjvlt] <host>

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -p,  --port=<port>      port to connect
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -n,  --no-colors        disable colors
   -j,  --json             JSON output
   -v,  --verbose          verbose output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)

Audit

# ssh-audit 127.0.0.1

根据algorithm recommendations建议移除弱相应的算法， 以下是sshd_config推荐配置：

Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

当前使用系统为 fedora 31 & centos 8, fedora & rhel/centos, OpenSSH 加密算法配置依赖系统加密默认策略 /etc/crypto-policies/back-ends/opensshserver.config, 需同步修改此配置才可以生效，以下是opensshserver.config修改后配置：

# cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphers=aes192-ctr,[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr [email protected],[email protected],[email protected] -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected]'

重启sshd服务 & 重新运行 ssh-audit查看当前ssh已为安全加密算法：

# systemctl restart sshd
# ssh-audit 127.0.0.1

注：
/etc/crypto-policies/back-ends/opensshserver.config 实际为 crypto-policies DEFAULT 软链接：

# ls  /etc/crypto-policies/back-ends/opensshserver.config -l
lrwxrwxrwx. 1 root root 52 Dec 18 11:08 /etc/crypto-policies/back-ends/opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
# update-crypto-policies --show
DEFAULT

Reference

ssh-audit
man crypto-policies
man update-crypto-policies