ssh-audit

ssh-audit is a tool for ssh server & client configuration auditing.

jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.

Features

  • SSH1 and SSH2 protocol server support;
  • analyze SSH client configuration;
  • grab banner, recognize device or software and operating system, detect compression;
  • gather key-exchange, host-key, encryption and message authentication code algorithms;
  • output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
  • output algorithm recommendations (append or remove based on recognized software version);
  • output security information (related issues, assigned CVE list, etc);
  • analyze SSH version compatibility based on algorithm information;
  • historical information from OpenSSH, Dropbear SSH and libssh;
  • policy scans to ensure adherence to a hardened/standard configuration;
  • runs on Linux and Windows;
  • no dependencies

Usage

usage: ssh-audit.py [options] <host>

   -h,  --help             print this help
   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -4,  --ipv4             enable IPv4 (order of precedence)
   -6,  --ipv6             enable IPv6 (order of precedence)
   -b,  --batch            batch output
   -c,  --client-audit     starts a server on port 2222 to audit client
                               software config (use -p to change port;
                               use -t to change timeout)
   -j,  --json             JSON output
   -l,  --level=<level>    minimum output level (info|warn|fail)
   -L,  --list-policies    list all the official, built-in policies
        --lookup=<alg1,alg2,...>    looks up an algorithm(s) without
                                    connecting to a server
   -M,  --make-policy=<policy.txt>  creates a policy based on the target server
                                    (i.e.: the target server has the ideal
                                    configuration that other servers should
                                    adhere to)
   -n,  --no-colors        disable colors
   -p,  --port=<port>      port to connect
   -P,  --policy=<policy.txt>  run a policy test using the specified policy
   -t,  --timeout=<secs>   timeout (in seconds) for connection and reading
                               (default: 5)
   -T,  --targets=<hosts.txt>  a file containing a list of target hosts (one
                                   per line, format HOST[:PORT])
   -v,  --verbose          verbose output
  • if both IPv4 and IPv6 are used, order of precedence can be set by using either -46 or -64.
  • batch flag -b will output sections without header and without empty lines (implies verbose flag).
  • verbose flag -v will prefix each line with section type and algorithm name.
  • an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).

Basic server auditing:

ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222

To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]):

ssh-audit -T servers.txt

To audit a client configuration (listens on port 2222 by default; connect using ssh [email protected]):

ssh-audit -c

To audit a client configuration, with a listener on port 4567:

ssh-audit -c -p 4567

To list all official built-in policies (hint: use resulting file paths with -P/--policy):

ssh-audit -L

To run a policy audit against a server:

ssh-audit -P path/to/server_policy targetserver

To run a policy audit against a client:

ssh-audit -c -P path/to/client_policy

To run a policy audit against many servers:

ssh-audit -T servers.txt -P path/to/server_policy

To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):

ssh-audit -M new_policy.txt targetserver

Server Standard Audit Example

Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
64388792-317e6f80-d00e-11e9-826e-a4934769bb07

Server Policy Audit Example

Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine:
94370881-95178700-00c0-11eb-8705-3157a4669dc0

After applying the steps in the hardening guide (see below), the output changes to the following:
94370873-87620180-00c0-11eb-9a59-469f61a56ce1

Client Standard Audit Example

Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
68867998-b946c100-06c4-11ea-975f-1f47e4178a74

Hardening Guides

Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html

Pre-Built Packages

Pre-built packages are available for Windows (see the releases page), on PyPI, Snap, and Homebrew.

To install from PyPI:

$ pip3 install ssh-audit

To install the Snap package:

$ snap install ssh-audit

To install on Homebrew:

$ brew install ssh-audit

GitHub