Tool: OpenSSHd Security Configuration Checker

Ben Fuhrmannek

2018-07-03 15:51

Tool: Automatisierte Prüfung der SSH Server-Konfiguration

Eine unserer Dienstleistungen ist es, bei Kunden die Serverkonfiguration verschiedener Dienste auf Sicherheitsprobleme hin zu untersuchen. Für OpenSSH kann das teilweise automatisiert werden. Daraus entstand dieses Tool:

./sshdcc -dc 'sudo sshd -f /dev/null -T'
------------------------------------------------------------------------------
This is OpenSSHd Security Config Checker 0.1
  - (c) 2018 SektionEins GmbH / Ben Fuhrmannek - https://sektioneins.de/
  - download -> https://github.com/sektioneins/sshdcc
running on Darwin 17.6.0 x86_64 with Tcl 8.6 with TTY
started at 2018-07-03 13:54:50
------------------------------------------------------------------------------
additional live system checks are enabled
loading defaults from command sudo sshd -f /dev/null -T
Password: <enter your password for sudo here>
scanning file /etc/ssh/sshd_config

## RESULTS ##

(1) [WARNING] login via any authentication method is allowed
    #> SYSTEM DEFAULT: authenticationmethods any
    It is usually a good idea to restrict authentication methods to those
    actually required, e.g. 'publickey'. Please change this setting.

(2) [NOTICE] using default cipher list
    #> SYSTEM DEFAULT: ciphers
    chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    Depending on the version, SSH's default cipher list may contain really old
    ciphers, likely for compatibility with older versions. Try 'ssh -Q cipher'
    and choose current and secure ciphers as suitable.

(3) [NOTICE] login via password is allowed
    #> SYSTEM DEFAULT: passwordauthentication yes
    Public key based authentication methods are considered much more secure.
    Unless your configuration contains some kind of one-time-password, e.g. via
    PAM, this setting should be changed to 'no'.

(4) [NOTICE] extra environment variable accepted by pattern: LANG
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(5) [NOTICE] extra environment variable accepted by pattern: LC_*
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(6) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: pubkeyacceptedkeytypes
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(7) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: hostkeyalgorithms
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(8) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: hostbasedacceptedkeytypes
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(9) [INFO] using default list of key exchange algorithms
    #> SYSTEM DEFAULT: kexalgorithms
    curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
    The default may be perfectly fine for you. Otherwise, please check 'ssh -Q
    kex' for a list of available algorithms.

(10) [INFO] using default list of MAC algorithms
    #> SYSTEM DEFAULT: macs
    umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    This is most likely ok. Check out 'ssh -Q mac' for a list of available
    algorithms to choose from.

done.

Features

Online- und Offline-Modus (für Analyse auf einem Live-System oder über Konfigurationsdateien)
Farbkotierte Ergebnisliste
CSV-Export für die einfache Weiterverarbeitung
Prüft übliche Konfigurationsfehler
Prüft Einschränkungen in Match-Blöcken
Ergebnisse enthalten einen Risikoindikator, Beschreibung, Empfehlung und die untersuchte Zeile der Konfiguration.

Download

Der komplette Quellcode findet sich auf Github.