ssh_scan - Inathibitisha Usanidi na Sera yako ya Seva ya SSH katika Linux
ssh_scan ni usanidi wa mfano wa SSH na kichanganuzi cha sera ambacho ni rahisi kutumia kwa seva za Linux na UNIX, kilichochochewa na Mwongozo wa Usalama wa Mozilla OpenSSH, ambao hutoa pendekezo la msingi la msingi linalofaa kwa vigezo vya usanidi wa SSH kama vile Ciphers, MACs, na KexAlgos na mengi zaidi.
Ina baadhi ya faida zifuatazo:
- Ina utegemezi mdogo, ssh_scan huajiri tu Ruby asilia na BinData kufanya kazi yake, hakuna utegemezi mkubwa.
- Inabebeka, unaweza kutumia ssh_scan katika mradi mwingine au kufanya kazi otomatiki.
- Ni rahisi kutumia, ielekeze tu kwenye huduma ya SSH na upate ripoti ya JSON ya kile inachokubali na hali yake ya sera.
- Pia inaweza kusanidiwa, unaweza kuunda sera zako maalum zinazolingana na mahitaji yako mahususi ya sera.
Jinsi ya kufunga ssh_scan kwenye Linux
Kuna njia tatu unaweza kusakinisha ssh_scan na ni:
Ili kusakinisha na kuendesha kama vito, chapa:
----------- On Debian/Ubuntu ----------- $ sudo apt-get install ruby gem $ sudo gem install ssh_scan ----------- On CentOS/RHEL ----------- # yum install ruby rubygem # gem install ssh_scan
Ili kukimbia kutoka kwa chombo cha docker, chapa:
# docker pull mozilla/ssh_scan # docker run -it mozilla/ssh_scan /app/bin/ssh_scan -t github.com
Ili kusakinisha na kukimbia kutoka kwa chanzo, chapa:
# git clone https://github.com/mozilla/ssh_scan.git # cd ssh_scan # gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 # curl -sSL https://get.rvm.io | bash -s stable # rvm install 2.3.1 # rvm use 2.3.1 # gem install bundler # bundle install # ./bin/ssh_scan
Jinsi ya kutumia ssh_scan katika Linux
Syntax ya kutumia ssh_scan ni kama ifuatavyo:
$ ssh_scan -t ip-address $ ssh_scan -t server-hostname
Kwa mfano kuchanganua usanidi wa SSH na sera ya seva 92.168.43.198, ingiza:
$ ssh_scan -t 192.168.43.198
Kumbuka unaweza pia kupitisha [IP/Range/Jina la mpangishaji] kwa chaguo la -t kama inavyoonyeshwa katika chaguo zilizo hapa chini:
$ ssh_scan -t 192.168.43.198,200,205 $ ssh_scan -t test.tecmint.lan
I, [2017-05-09T10:36:17.913644 #7145] INFO -- : You're using the latest version of ssh_scan 0.0.19
[
{
"ssh_scan_version": "0.0.19",
"ip": "192.168.43.198",
"port": 22,
"server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1",
"ssh_version": 2.0,
"os": "ubuntu",
"os_cpe": "o:canonical:ubuntu:16.04",
"ssh_lib": "openssh",
"ssh_lib_cpe": "a:openssh:openssh:7.2p2",
"cookie": "68b17bcca652eeaf153ed18877770a38",
"key_algorithms": [
"[email ",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group14-sha1"
],
"server_host_key_algorithms": [
"ssh-rsa",
"rsa-sha2-512",
"rsa-sha2-256",
"ecdsa-sha2-nistp256",
"ssh-ed25519"
],
"encryption_algorithms_client_to_server": [
"[email ",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"[email ",
"[email "
],
"encryption_algorithms_server_to_client": [
"[email ",
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"[email ",
"[email "
],
"mac_algorithms_client_to_server": [
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"mac_algorithms_server_to_client": [
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"[email ",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"compression_algorithms_client_to_server": [
"none",
"[email "
],
"compression_algorithms_server_to_client": [
"none",
"[email "
],
"languages_client_to_server": [
],
"languages_server_to_client": [
],
"hostname": "tecmint",
"auth_methods": [
"publickey",
"password"
],
"fingerprints": {
"rsa": {
"known_bad": "false",
"md5": "0e:d0:d7:11:f0:9b:f8:33:9c:ab:26:77:e5:66:9e:f4",
"sha1": "fc:8d:d5:a1:bf:52:48:a6:7e:f9:a6:2f:af:ca:e2:f0:3a:9a:b7:fa",
"sha256": "ff:00:b4:a4:40:05:19:27:7c:33:aa:db:a6:96:32:88:8e:bf:05:a1:81:c0:a4:a8:16:01:01:0b:20:37:81:11"
}
},
"start_time": "2017-05-09 10:36:17 +0300",
"end_time": "2017-05-09 10:36:18 +0300",
"scan_duration_seconds": 0.221573169,
"duplicate_host_key_ips": [
],
"compliance": {
"policy": "Mozilla Modern",
"compliant": false,
"recommendations": [
"Remove these Key Exchange Algos: diffie-hellman-group14-sha1",
"Remove these MAC Algos: [email , [email , [email , hmac-sha1",
"Remove these Authentication Methods: password"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
]
}
}
]
Unaweza kutumia -p kubainisha mlango tofauti, -L ili kuwezesha kiweka kumbukumbu na -V kufafanua kiwango cha kitenzi kama inavyoonyeshwa hapa chini:
$ ssh_scan -t 192.168.43.198 -p 22222 -L ssh-scan.log -V INFO
Zaidi ya hayo, tumia faili maalum ya sera (chaguo-msingi ni Mozilla Modern) na -P au --sera [FILE] kama hivyo:
$ ssh_scan -t 192.168.43.198 -L ssh-scan.log -V INFO -P /path/to/custom/policy/file
Andika hii ili kutazama chaguzi zote za utumiaji za ssh_scan na mifano zaidi:
$ ssh_scan -h
ssh_scan v0.0.17 (https://github.com/mozilla/ssh_scan)
Usage: ssh_scan [options]
-t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
-f, --file [FilePath] File Path of the file containing IP/Range/Hostnames to scan
-T, --timeout [seconds] Timeout per connect after which ssh_scan gives up on the host
-L, --logger [Log File Path] Enable logger
-O, --from_json [FilePath] File to read JSON output from
-o, --output [FilePath] File to write JSON output to
-p, --port [PORT] Port (Default: 22)
-P, --policy [FILE] Custom policy file (Default: Mozilla Modern)
--threads [NUMBER] Number of worker threads (Default: 5)
--fingerprint-db [FILE] File location of fingerprint database (Default: ./fingerprints.db)
--suppress-update-status Do not check for updates
-u, --unit-test [FILE] Throw appropriate exit codes based on compliance status
-V [STD_LOGGING_LEVEL],
--verbosity
-v, --version Display just version info
-h, --help Show this message
Examples:
ssh_scan -t 192.168.1.1
ssh_scan -t server.example.com
ssh_scan -t ::1
ssh_scan -t ::1 -T 5
ssh_scan -f hosts.txt
ssh_scan -o output.json
ssh_scan -O output.json -o rescan_output.json
ssh_scan -t 192.168.1.1 -p 22222
ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO
ssh_scan -t 192.168.1.1 -P custom_policy.yml
ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml
Angalia nakala zingine muhimu kwenye Seva ya SSH:
- Kuingia Bila Nenosiri kwa SSH Kwa Kutumia SSH Keygen katika Hatua 5 Rahisi
- Mbinu 5 Bora za Kulinda Seva ya SSH
- Zuia Ufikiaji wa Mtumiaji wa SSH kwa Saraka Fulani Kwa kutumia Jela iliyo na Chrooted
- Jinsi ya Kuweka Miunganisho Maalum ya SSH ili Kurahisisha Ufikiaji wa Mbali
Kwa maelezo zaidi tembelea hazina ya ssh_scan Github: https://github.com/mozilla/ssh_scan
Katika nakala hii, tulikuonyesha jinsi ya kusanidi na kutumia ssh_scan kwenye Linux. Je! unajua zana zozote zinazofanana huko nje? Tujulishe kupitia fomu ya maoni iliyo hapa chini, ikijumuisha mawazo mengine yoyote kuhusu mwongozo huu.