Verifying SSH configuration with a scan

SSH_ValidationManaging a number of Linux servers and keeping them secure can be a challenge. Certain tools can make the life of an admin a lot easier.

To ensure an ssh daemon complies with a desired security configuration the admin can use a scanner which will connect to the ssh daemon and analyse the proposed algorithms (See my post Harden the SSH server settings for an introduction to hardening your SSH setup).

One such scanner is called ssh_scan – A prototype SSH configuration and policy scanner. This particular scanner retrieves the suggested algorithms from the server by initiating a connection. The retrieved information is then checked against a policy.

Scanning a CentOS 6 ssh daemon should be done using the “Mozilla Intermediate” policy as it relates to the Mozilla Wiki – Security/Guidelines/OpenSSH section “Intermediate (OpenSSH 5.3)”.

$ ./bin/ssh_scan --target host.example.com --port 22 --policy policies/mozilla_intermediate.yml

{
  "ip": "host.example.com",
  "port": 22,
  "server_banner": "SSH-2.0-OpenSSH_5.3",
  "key_algorithms": [
    "diffie-hellman-group-exchange-sha256",
    "diffie-hellman-group-exchange-sha1",
    "diffie-hellman-group14-sha1",
    "diffie-hellman-group1-sha1"
  ],
  "server_host_key_algorithms": [
    "ssh-rsa",
    "ssh-dss"
  ],
  "encryption_algorithms_client_to_server": [
    "aes128-ctr",
    "aes192-ctr",
    "aes256-ctr",
    "arcfour256",
    "arcfour128",
    "aes128-cbc",
    "3des-cbc",
    "blowfish-cbc",
    "cast128-cbc",
    "aes192-cbc",
    "aes256-cbc",
    "arcfour",
    "rijndael-cbc@lysator.liu.se"
  ],
  "encryption_algorithms_server_to_client": [
    "aes128-ctr",
    "aes192-ctr",
    "aes256-ctr",
    "arcfour256",
    "arcfour128",
    "aes128-cbc",
    "3des-cbc",
    "blowfish-cbc",
    "cast128-cbc",
    "aes192-cbc",
    "aes256-cbc",
    "arcfour",
    "rijndael-cbc@lysator.liu.se"
  ],
  "mac_algorithms_client_to_server": [
    "hmac-md5",
    "hmac-sha1",
    "umac-64@openssh.com",
    "hmac-sha2-256",
    "hmac-sha2-512",
    "hmac-ripemd160",
    "hmac-ripemd160@openssh.com",
    "hmac-sha1-96",
    "hmac-md5-96"
  ],
  "mac_algorithms_server_to_client": [
    "hmac-md5",
    "hmac-sha1",
    "umac-64@openssh.com",
    "hmac-sha2-256",
    "hmac-sha2-512",
    "hmac-ripemd160",
    "hmac-ripemd160@openssh.com",
    "hmac-sha1-96",
    "hmac-md5-96"
  ],
  "compression_algorithms_client_to_server": [
    "none",
    "zlib@openssh.com"
  ],
  "compression_algorithms_server_to_client": [
    "none",
    "zlib@openssh.com"
  ],
  "languages_client_to_server": [

  ],
  "languages_server_to_client": [

  ],
  "compliance": {
    "policy": "Mozilla Intermediate",
    "compliant": false,
    "recommendations": [
      "Remove these Key Exchange Algos: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
      "Remove these MAC Algos: hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96",
      "Remove these Encryption Ciphers: arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se"
    ]
  }
}

The output contains a detailed list of all the checked information as well as a compliance section. The result of the policy verification can be found in this compliance section. Additionally, the return code will be 0 to indicate the server is “compliant”, while a return code of 1 indicates a “non-compliant” result.

In the case of a non-compliant result, recommendations are shown to help to change the configuration towards a compliant scan result.

The example above shows recommendations to remove certain KEX and MAC algorithms, as well as some ciphers, based on the CentOS 6 default sshd configuration and the mozilla intermediate policy.


Read more of my posts on my blog at https://blog.tinned-software.net/.

This entry was posted in Linux Administration, Security and tagged , , , . Bookmark the permalink.