ssh-audit
ssh-audit is a tool for ssh server & client configuration auditing.
jtesta/ssh-audit (v2.0+) is the updated and maintained version of ssh-audit forked from arthepsy/ssh-audit (v1.x) due to inactivity.
Features
- SSH1 and SSH2 protocol server support;
- analyze SSH client configuration;
- grab banner, recognize device or software and operating system, detect compression;
- gather key-exchange, host-key, encryption and message authentication code algorithms;
- output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
- output algorithm recommendations (append or remove based on recognized software version);
- output security information (related issues, assigned CVE list, etc);
- analyze SSH version compatibility based on algorithm information;
- historical information from OpenSSH, Dropbear SSH and libssh;
- policy scans to ensure adherence to a hardened/standard configuration;
- runs on Linux and Windows;
- no dependencies
Usage
usage: ssh-audit.py [options] <host>
-h, --help print this help
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-j, --json JSON output
-l, --level=<level> minimum output level (info|warn|fail)
-L, --list-policies list all the official, built-in policies
--lookup=<alg1,alg2,...> looks up an algorithm(s) without
connecting to a server
-M, --make-policy=<policy.txt> creates a policy based on the target server
(i.e.: the target server has the ideal
configuration that other servers should
adhere to)
-n, --no-colors disable colors
-p, --port=<port> port to connect
-P, --policy=<policy.txt> run a policy test using the specified policy
-t, --timeout=<secs> timeout (in seconds) for connection and reading
(default: 5)
-T, --targets=<hosts.txt> a file containing a list of target hosts (one
per line, format HOST[:PORT])
-v, --verbose verbose output
- if both IPv4 and IPv6 are used, order of precedence can be set by using either
-46
or-64
. - batch flag
-b
will output sections without header and without empty lines (implies verbose flag). - verbose flag
-v
will prefix each line with section type and algorithm name. - an exit code of 0 is returned when all algorithms are considered secure (for a standard audit), or when a policy check passes (for a policy audit).
Basic server auditing:
ssh-audit localhost
ssh-audit 127.0.0.1
ssh-audit 127.0.0.1:222
ssh-audit ::1
ssh-audit [::1]:222
To run a standard audit against many servers (place targets into servers.txt, one on each line in the format of HOST[:PORT]
):
ssh-audit -T servers.txt
To audit a client configuration (listens on port 2222 by default; connect using ssh [email protected]
):
ssh-audit -c
To audit a client configuration, with a listener on port 4567:
ssh-audit -c -p 4567
To list all official built-in policies (hint: use resulting file paths with -P
/--policy
):
ssh-audit -L
To run a policy audit against a server:
ssh-audit -P path/to/server_policy targetserver
To run a policy audit against a client:
ssh-audit -c -P path/to/client_policy
To run a policy audit against many servers:
ssh-audit -T servers.txt -P path/to/server_policy
To create a policy based on a target server (which can be manually edited; see official built-in policies for syntax examples):
ssh-audit -M new_policy.txt targetserver
Server Standard Audit Example
Below is a screen shot of the standard server-auditing output when connecting to an unhardened OpenSSH v5.3 service:
Server Policy Audit Example
Below is a screen shot of the policy auditing output when connecting to an un-hardened Ubuntu Server 20.04 machine:
After applying the steps in the hardening guide (see below), the output changes to the following:
Client Standard Audit Example
Below is a screen shot of the client-auditing output when an unhardened OpenSSH v7.2 client connects:
Hardening Guides
Guides to harden server & client configuration can be found here: https://www.ssh-audit.com/hardening_guides.html
Pre-Built Packages
Pre-built packages are available for Windows (see the releases page), on PyPI, Snap, and Homebrew.
To install from PyPI:
$ pip3 install ssh-audit
To install the Snap package:
$ snap install ssh-audit
To install on Homebrew:
$ brew install ssh-audit