Wednesday, March 29 2017, 19:21

Strengthening ssh

A few weeks ago I stumbled on the ssh_scan project. This little ruby gem project let's you scan machines and help you make sshd harder to break in. Installing it on my fedora workstation was like sudo dnf install rubygem-sqlite3 && gem install ssh_scan

you can then run it with -t hostname and fix you ssh config: {{ludo@Oulanl ~$ ssh_scan -t gandi.mozfr.org I, 2017-03-29T19:19:30.527949 #26982 INFO -- : You're using the latest version of ssh_scan 0.0.18 [

 {
   "ssh_scan_version": "0.0.18",
   "ip": "2001:4B98:DC0:51:216:3EFF:FE8E:A45A",
   "port": 22,
   "server_banner": "SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3",
   "ssh_version": 2.0,
   "os": "debian",
   "os_cpe": "o:debian:debian",
   "ssh_lib": "openssh",
   "ssh_lib_cpe": "a:openssh:openssh:6.7p1",
   "cookie": "17386450c207cb71d06224d2810e45ac",
   "key_algorithms": [
     "curve25519-sha256@libssh.org",
     "ecdh-sha2-nistp256",
     "ecdh-sha2-nistp384",
     "ecdh-sha2-nistp521",
     "diffie-hellman-group-exchange-sha256",
     "diffie-hellman-group14-sha1"
   ],
   "server_host_key_algorithms": [
     "ssh-rsa",
     "ssh-dss",
     "ecdsa-sha2-nistp256",
     "ssh-ed25519"
   ],
   "encryption_algorithms_client_to_server": [
     "aes128-ctr",
     "aes192-ctr",
     "aes256-ctr",
     "aes128-gcm@openssh.com",
     "aes256-gcm@openssh.com",
     "chacha20-poly1305@openssh.com"
   ],
   "encryption_algorithms_server_to_client": [
     "aes128-ctr",
     "aes192-ctr",
     "aes256-ctr",
     "aes128-gcm@openssh.com",
     "aes256-gcm@openssh.com",
     "chacha20-poly1305@openssh.com"
   ],
   "mac_algorithms_client_to_server": [
     "umac-64-etm@openssh.com",
     "umac-128-etm@openssh.com",
     "hmac-sha2-256-etm@openssh.com",
     "hmac-sha2-512-etm@openssh.com",
     "hmac-sha1-etm@openssh.com",
     "umac-64@openssh.com",
     "umac-128@openssh.com",
     "hmac-sha2-256",
     "hmac-sha2-512",
     "hmac-sha1"
   ],
   "mac_algorithms_server_to_client": [
     "umac-64-etm@openssh.com",
     "umac-128-etm@openssh.com",
     "hmac-sha2-256-etm@openssh.com",
     "hmac-sha2-512-etm@openssh.com",
     "hmac-sha1-etm@openssh.com",
     "umac-64@openssh.com",
     "umac-128@openssh.com",
     "hmac-sha2-256",
     "hmac-sha2-512",
     "hmac-sha1"
   ],
   "compression_algorithms_client_to_server": [
     "none",
     "zlib@openssh.com"
   ],
   "compression_algorithms_server_to_client": [
     "none",
     "zlib@openssh.com"
   ],
   "languages_client_to_server": [
   ],
   "languages_server_to_client": [
   ],
   "auth_methods": [
     "publickey"
   ],
   "fingerprints": {
     "rsa": {
       "known_bad": "false",
       "md5": "e8:43:a9:22:59:01:2b:ff:c7:48:2e:69:68:0c:af:37",
       "sha1": "59:07:90:6f:31:fc:1a:55:aa:9b:d0:eb:31:26:0d:11:6f:95:a8:41",
       "sha256": "41:8a:f9:4f:3d:b1:e4:85:82:91:7c:92:cc:43:f1:5e:dd:c7:7a:08:ca:33:8c:05:c1:e9:79:0c:73:8e:ef:f4"
     },
     "dsa": {
       "known_bad": "false",
       "md5": "f2:d1:d4:cf:20:92:83:f5:95:1d:96:61:47:2f:82:13",
       "sha1": "3f:6c:52:ff:0a:89:92:97:28:1e:db:35:db:aa:a8:15:bb:66:e2:27",
       "sha256": "c3:b6:d8:bc:8c:a8:5b:e8:8a:13:09:d8:62:70:db:06:67:5a:52:17:29:be:c6:b6:e3:1c:50:d1:30:23:10:a8"
     }
   },
   "start_time": "2017-03-29 19:19:30 +0200",
   "end_time": "2017-03-29 19:19:31 +0200",
   "scan_duration_seconds": 0.716352392,
   "duplicate_host_key_ips": [
     "192.168.10.160",
     "192.30.253.113",
     "192.30.253.112",
     "2001:BC8:3364:200::"
   ],
   "compliance": {
     "policy": "Mozilla Modern",
     "compliant": false,
     "recommendations": [
       "Remove these Key Exchange Algos: diffie-hellman-group14-sha1",
       "Remove these MAC Algos: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1"
     ],
     "references": [
       "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
     ]
   }
 }

] }}

Based on the wiki, it's a matter of editing /etc/ssh/ssh_config and /etc/ssh/sshd_config. Before restarting ssh, test your configuration with sshd -t and voila !!!!