ssh-audit 工具支持SSH1和SSH2协议,通过扫描服务器上SSH服务,可以收集SSH连接各个阶段所使用的算法,并对这些算法进行分析,提示现有算法和服务版本所关联的漏洞信息,并提供加强的算法推荐设置。
fedora 31
or RHEL/CentOS 8
可直接通过 pip install ssh-audit
安装;
也可通过github
下载 ssh-audit 到本地执行;
# ssh-audit -h
# ssh-audit v2.1.1, https://github.com/jtesta/ssh-audit
usage: ssh-audit [-1246pbcnjvlt]
-h, --help print this help
-1, --ssh1 force ssh version 1 only
-2, --ssh2 force ssh version 2 only
-4, --ipv4 enable IPv4 (order of precedence)
-6, --ipv6 enable IPv6 (order of precedence)
-p, --port= port to connect
-b, --batch batch output
-c, --client-audit starts a server on port 2222 to audit client
software config (use -p to change port;
use -t to change timeout)
-n, --no-colors disable colors
-j, --json JSON output
-v, --verbose verbose output
-l, --level= minimum output level (info|warn|fail)
-t, --timeout= timeout (in seconds) for connection and reading
(default: 5)
# ssh-audit 127.0.0.1
根据algorithm recommendations
建议移除弱相应的算法, 以下是sshd_config
推荐配置:
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
当前使用系统为 fedora 31 & centos 8
, fedora & rhel/centos
, OpenSSH 加密算法配置依赖系统加密默认策略 /etc/crypto-policies/back-ends/opensshserver.config
, 需同步修改此配置才可以生效,以下是opensshserver.config
修改后配置:
# cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphers=aes192-ctr,[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr [email protected],[email protected],[email protected] -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected]'
重启sshd
服务 & 重新运行 ssh-audit
查看当前ssh已为安全加密算法:
# systemctl restart sshd
# ssh-audit 127.0.0.1
注:
/etc/crypto-policies/back-ends/opensshserver.config
实际为 crypto-policies
DEFAULT 软链接:
# ls /etc/crypto-policies/back-ends/opensshserver.config -l
lrwxrwxrwx. 1 root root 52 Dec 18 11:08 /etc/crypto-policies/back-ends/opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
# update-crypto-policies --show
DEFAULT
ssh-audit
man crypto-policies
man update-crypto-policies