ssh_scan - ກວດສອບການ ກຳ ນົດນະໂຍບາຍແລະການ ກຳ ນົດຄ່າຂອງ SSH Server ຂອງທ່ານໃນ Linux
ssh_scan ແມ່ນໂປແກຼມການຕັ້ງຄ່າແບບ SSH ແບບງ່າຍດາຍແລະເຄື່ອງສະແກນນະໂຍບາຍ ສຳ ລັບເຊີຟເວີ Linux ແລະ UNIX, ໄດ້ຮັບແຮງບັນດານໃຈຈາກ Mozilla OpenSSH Security Guide, ເຊິ່ງໃຫ້ ຄຳ ແນະ ນຳ ກ່ຽວກັບນະໂຍບາຍພື້ນຖານທີ່ ເໝາະ ສົມ ສຳ ລັບຕົວ ກຳ ນົດການຕັ້ງຄ່າ SSH ເຊັ່ນ Ciphers, MACs, ແລະ KexAlgos ແລະອື່ນໆ.
ມັນມີບາງປະໂຫຍດຕໍ່ໄປນີ້:
- ມັນມີຄວາມເພິ່ງພາອາໄສ ໜ້ອຍ ທີ່ສຸດ, ssh_scan ໃຊ້ພຽງແຕ່ Ruby ແລະ BinData ທີ່ເປັນຄົນພື້ນເມືອງເພື່ອເຮັດວຽກຂອງມັນ, ບໍ່ມີການເພິ່ງພາອາໄສ ໜັກ.
- ມັນສາມາດ ນຳ ໃຊ້ໄດ້, ທ່ານສາມາດໃຊ້ ssh_scan ໃນໂຄງການອື່ນຫລື ສຳ ລັບວຽກອັດຕະໂນມັດ.
- ມັນງ່າຍທີ່ຈະໃຊ້, ພຽງແຕ່ຊີ້ໃສ່ບໍລິການ SSH ແລະໄດ້ຮັບລາຍງານ JSON ກ່ຽວກັບສິ່ງທີ່ມັນສະ ໜັບ ສະ ໜູນ ແລະສະຖານະນະໂຍບາຍຂອງມັນ.
- ມັນຍັງສາມາດປັບປ່ຽນໄດ້, ທ່ານສາມາດສ້າງນະໂຍບາຍປະເພນີຂອງທ່ານເອງທີ່ ເໝາະ ສົມກັບຂໍ້ ກຳ ນົດນະໂຍບາຍສະເພາະຂອງທ່ານ.
ວິທີການຕິດຕັ້ງ ssh_scan ໃນ Linux
ມີສາມວິທີທີ່ທ່ານສາມາດຕິດຕັ້ງ ssh_scan ແລະພວກມັນແມ່ນ:
ການຕິດຕັ້ງແລະການ ດຳ ເນີນງານເປັນອັນມະນີ, ໃຫ້ພິມ:
----------- On Debian/Ubuntu ----------- $ sudo apt-get install ruby gem $ sudo gem install ssh_scan ----------- On CentOS/RHEL ----------- # yum install ruby rubygem # gem install ssh_scan
ເພື່ອແລ່ນຈາກຖັງ docker, ພິມ:
# docker pull mozilla/ssh_scan # docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com
ການຕິດຕັ້ງແລະແລ່ນຈາກແຫລ່ງຂໍ້ມູນ, ພິມ:
# git clone https://github.com/mozilla/ssh_scan.git # cd ssh_scan # gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 # curl -sSL https://get.rvm.io | bash -s stable # rvm install 2.3.1 # rvm use 2.3.1 # gem install bundler # bundle install # ./bin/ssh_scan
ວິທີການໃຊ້ ssh_scan ໃນ Linux
syntax ສຳ ລັບໃຊ້ ssh_scan ມີດັ່ງນີ້:
$ ssh_scan -t ip-address $ ssh_scan -t server-hostname
ສໍາລັບຕົວຢ່າງທີ່ຈະ scan SSH configs ແລະນະໂຍບາຍຂອງເຄື່ອງແມ່ຂ່າຍ 92.168.43.198, ໃສ່:
$ ssh_scan -t 192.168.43.198
ໃຫ້ສັງເກດວ່າທ່ານຍັງສາມາດຜ່ານ [IP/Range/Hostname] ໄປທີ່ -t ທີ່ຢູ່ໃນຕົວເລືອກຂ້າງລຸ່ມນີ້:
$ ssh_scan -t 192.168.43.198,200,205 $ ssh_scan -t test.tecmint.lan
I, [2017-05-09T10:36:17.913644 #7145] INFO -- : You're using the latest version of ssh_scan 0.0.19
[
{
"ssh_scan_version": "0.0.19",
"ip": "192.168.43.198",
"port": 22,
"server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1",
"ssh_version": 2.0,
"os": "ubuntu",
"os_cpe": "o:canonical:ubuntu:16.04",
"ssh_lib": "openssh",
"ssh_lib_cpe": "a:openssh:openssh:7.2p2",
"cookie": "68b17bcca652eeaf153ed18877770a38",
"key_algorithms": [
"[email ",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group14-sha1"
],
"server_host_key_algorithms": [
"ssh-rsa",
"rsa-sha2-512",
"rsa-sha2-256",
"ecdsa-sha2-nistp256",
"ssh-ed25519"
],
"encryption_algorithms_client_to_server": [
"[email ",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"[email ",
"[email "
],
"encryption_algorithms_server_to_client": [
"[email ",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"[email ",
"[email "
],
"mac_algorithms_client_to_server": [
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"mac_algorithms_server_to_client": [
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"compression_algorithms_client_to_server": [
"none",
"[email "
],
"compression_algorithms_server_to_client": [
"none",
"[email "
],
"languages_client_to_server": [
],
"languages_server_to_client": [
],
"hostname": "tecmint",
"auth_methods": [
"publickey",
"password"
],
"fingerprints": {
"rsa": {
"known_bad": "false",
"md5": "0e:d0:d7:11:f0:9b:f8:33:9c:ab:26:77:e5:66:9e:f4",
"sha1": "fc:8d:d5:a1:bf:52:48:a6:7e:f9:a6:2f:af:ca:e2:f0:3a:9a:b7:fa",
"sha256": "ff:00:b4:a4:40:05:19:27:7c:33:aa:db:a6:96:32:88:8e:bf:05:a1:81:c0:a4:a8:16:01:01:0b:20:37:81:11"
}
},
"start_time": "2017-05-09 10:36:17 +0300",
"end_time": "2017-05-09 10:36:18 +0300",
"scan_duration_seconds": 0.221573169,
"duplicate_host_key_ips": [
],
"compliance": {
"policy": "Mozilla Modern",
"compliant": false,
"recommendations": [
"Remove these Key Exchange Algos: diffie-hellman-group14-sha1",
"Remove these MAC Algos: [email , [email , [email , hmac-sha1",
"Remove these Authentication Methods: password"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
]
}
}
]
ທ່ານສາມາດໃຊ້ -p ເພື່ອ ກຳ ນົດພອດອື່ນ, -L ເພື່ອໃຫ້ຕົວເຊັນເຂົ້າແລະ -V ກຳ ນົດລະດັບ ຄຳ ສັບດັ່ງຮູບຂ້າງລຸ່ມນີ້:
$ ssh_scan -t 192.168.43.198 -p 22222 -L ssh-scan.log -V INFO
ນອກຈາກນັ້ນ, ນຳ ໃຊ້ເອກະສານນະໂຍບາຍທີ່ ກຳ ຫນົດເອງ (ຄ່າເລີ່ມຕົ້ນແມ່ນ Mozilla Modern) ດ້ວຍລະຫັດ -P ຫຼື - ໂປໂລຍ [FILE] ຄືດັ່ງນີ້:
$ ssh_scan -t 192.168.43.198 -L ssh-scan.log -V INFO -P /path/to/custom/policy/file
ພິມສິ່ງນີ້ເພື່ອເບິ່ງຕົວເລືອກການ ນຳ ໃຊ້ ssh_scan ແລະຕົວຢ່າງອື່ນໆ:
$ ssh_scan -h
ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan)
Usage: ssh_scan [options]
-t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
-f, --file [FilePath] File Path of the file containing IP/Range/Hostnames to scan
-T, --timeout [seconds] Timeout per connect after which ssh_scan gives up on the host
-L, --logger [Log File Path] Enable logger
-O, --from_json [FilePath] File to read JSON output from
-o, --output [FilePath] File to write JSON output to
-p, --port [PORT] Port (Default: 22)
-P, --policy [FILE] Custom policy file (Default: Mozilla Modern)
--threads [NUMBER] Number of worker threads (Default: 5)
--fingerprint-db [FILE] File location of fingerprint database (Default: ./fingerprints.db)
--suppress-update-status Do not check for updates
-u, --unit-test [FILE] Throw appropriate exit codes based on compliance status
-V [STD_LOGGING_LEVEL],
--verbosity
-v, --version Display just version info
-h, --help Show this message
Examples:
ssh_scan -t 192.168.1.1
ssh_scan -t server.example.com
ssh_scan -t ::1
ssh_scan -t ::1 -T 5
ssh_scan -f hosts.txt
ssh_scan -o output.json
ssh_scan -O output.json -o rescan_output.json
ssh_scan -t 192.168.1.1 -p 22222
ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO
ssh_scan -t 192.168.1.1 -P custom_policy.yml
ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
ກວດເບິ່ງຂໍ້ມູນປອມທີ່ມີປະໂຫຍດບາງຢ່າງໃນ SSH Server:
<
ສຳ ລັບລາຍລະອຽດເພີ່ມເຕີມເຂົ້າເບິ່ງທີ່ຫໍສະ ໝຸດ ssh_scan Github: https://github.com/mozilla/ssh_scan
ໃນບົດຂຽນນີ້, ພວກເຮົາໄດ້ສະແດງວິທີການຕັ້ງຄ່າແລະການ ນຳ ໃຊ້ ssh_scan ໃນ Linux. ທ່ານຮູ້ຈັກເຄື່ອງມືທີ່ຄ້າຍຄືກັນນີ້ຢູ່ບໍ? ໃຫ້ພວກເຮົາຮູ້ຜ່ານແບບຟອມ ຄຳ ເຫັນຂ້າງລຸ່ມນີ້, ລວມທັງຄວາມຄິດອື່ນໆກ່ຽວກັບຄູ່ມືນີ້.