ssh-audit Primer - Audit your SSH Server

2024/08/28

As the name already implies,ssh-audit helps you to audit SSH clients and servers. It is lightweight, open-source, supports both versions of SSH and is available for Linux and Windows.

In this article we’ll use Linux on both sides.

The Basics

After installation, the basic syntax of an audit is ssh-audit DESTINATION. By default it uses the standard SSH port 22 - to change the port, simply add it to the destination DESTINATION:2222.

On the left, it starts with the referenced information, categorizes it with [info],[warn] and other labels and adds a short description on the right.

It has many sections - starting with various information about key, cipher and algorithms information and information about the fingerprint, recommendations and additional information at the end.

General options

Force a certain SSH version:
-1, --ssh1
-2, --ssh2
Choose an Internet Protocol Version:
-4, --ipv4
-6, --ipv6
Removes the colors in the terminal:
-n, --no-colors
For a more detailed output:
-v, --verbose
-d, --debug
In particular, the debug option is useful if you need to troubleshoot a connection or want the raw data.

Batch Audit of multiple Servers

Especially in larger environments, it makes sense to work with the following options if you want to automate processes.

Target list of hosts from file

Create a simple list of hosts:

cat ssh-servers.txt 
10.10.50.50:22
10.20.30.40:22

Now you can use the -T, --targets=<hosts.txt> options to run through the list of hosts:

ssh-audit -T ssh-servers.txt

There are some options that might be helpful:

Add a timeout in case a host is unavailable so the run can continue:
-t, --timeout=<secs>
Set the minimum output level for the logs:
-l, --level=<level> # (info|warn|fail)
Formatting the results in JSON:
-j, --json
This options removes a lot of formatting and empty lines which makes it easier to work with the results:
-b, --batch

Saving Results to file

Simply redirect the results into a new file with >, append to a file with >> or pipe it to tee when you need to display the results at the same time.

ssh-audit -T ssh-servers.txt > ssh-servers-results.txt

Work with Policy Sets

You can create custom policy sets and test against them. This is helpful if you have a standard that you want to enforce and audit your environment against.

Let’s say you already have a hardened SSH server that you want to use as a reference. Use -M, --make-policy=reference-policy-ssh.txt to create a reference policy set that you can use later.

ssh-audit -M reference-policy-ssh.txt 10.10.50.51

Wrote policy to reference-policy.txt.  Customize as necessary, then run a policy scan with -P option.

You then can use -P, --policy=reference-policy-ssh.txt to run the reference policy against another server:

ssh-audit -P reference-policy-ssh.txt 10.10.50.50

Host:   10.10.50.50
Policy: Custom Policy (based on 10.10.50.50 on 2024/08/28) (version 1)
Result: ✔ Passed

Deviations will be listed and you can make changes accordingly.

The policy file looks like thi:

 cat reference-policy-ssh.txt                                                                                                                         
# Custom policy based on 10.10.50.51 (created on 2024/08/28)                                                                                         
# The name of this policy (displayed in the output during scans).  Must be in quotes.                                                                       
name = "Custom Policy (based on 10.10.50.51 on 2024/08/28)"                                                                                            
# The version of this policy (displayed in the output during scans).  Not parsed, and may be any value, including strings.                                  
version = 1                                                                                                                                             
# When false, host keys, kex, ciphers, and MAC lists must match exactly.  When true, the target host may support a subset of the specified algorithms and/or
 algorithms may appear in a different order; this feature is useful for specifying a baseline and allowing some hosts the option to implement stricter contr
ols.
allow_algorithm_subset_and_reordering = false

{...}


Most recent Articles:
  • Notice Board 003: Progress is Progress
  • How to: Cisco ISE backup to SFTP repository with public key authentication
  • Dummy IP & MAC Addresses for Documentation & Sanitization
  • Deploying ISSO Commenting System for Static Content using Docker
  • Generate a Vanity v3 Hidden Service Onion Address with mkp224o