mirror of https://github.com/jtesta/ssh-audit.git synced 2024-06-30 19:24:46 +02:00

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

auditing security ssh

Go to file

Andris Raugulis fabb4b5bb2 Add static typing and refactor code to pass all mypy checks. Move Python compatibility types to first lines of code. Add Python (text/byte) compatibility helper functions. Check for SSH banner ASCII validity.		2016-10-19 20:47:13 +03:00
test	Handle the case when received data is in wrong encoding (not utf-8).	2016-10-18 09:45:03 +03:00
.gitignore	Init project.	2015-12-23 04:56:13 +02:00
.travis.yml	Coveralls should be installed.	2016-10-10 13:07:52 +03:00
README.md	Set the release date.	2016-10-14 08:55:29 +03:00
ssh-audit.py	Add static typing and refactor code to pass all mypy checks.	2016-10-19 20:47:13 +03:00

README.md

ssh-audit

ssh-audit is a tool for ssh server auditing.

Features

SSH1 and SSH2 protocol server support;
grab banner, recognize device or software and operating system, detect compression;
gather key-exchange, host-key, encryption and message authentication code algorithms;
output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
output algorithm recommendations (append or remove based on recognized software version);
output security information (related issues, assigned CVE list, etc);
analyze SSH version compatibility based on algorithm information;
historical information from OpenSSH, Dropbear SSH and libssh;
no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;

Usage

usage: ssh-audit.py [-bnv] [-l <level>] <host[:port]>

   -1,  --ssh1             force ssh version 1 only
   -2,  --ssh2             force ssh version 2 only
   -b,  --batch            batch output
   -n,  --no-colors        disable colors
   -v,  --verbose          verbose output
   -l,  --level=<level>    minimum output level (info|warn|fail)

batch flag -b will output sections without header and without empty lines (implies verbose flag).
verbose flag -v will prefix each line with section type and algorithm name.

example

ChangeLog

v1.6.0 (2016-10-14)

implement algorithm recommendations section (based on recognized software)
implement full libssh support (version history, algorithms, security, etc)
fix SSH-1.99 banner recognition and version comparison functionality
do not output empty algorithms (happens for misconfigured servers)
make consistent output for Python 3.x versions
add a lot more tests (conf, banner, software, SSH1/SSH2, output, etc)
use Travis CI to test for multiple Python versions (2.6-3.5, pypy, pypy3)

v1.5.0 (2016-09-20)

create security section for related security information
match and output assigned CVE list and security issues for Dropbear SSH
implement full SSH1 support with fingerprint information
automatically fallback to SSH1 on protocol mismatch
add new options to force SSH1 or SSH2 (both allowed by default)
parse banner information and convert it to specific sofware and OS version
do not use padding in batch mode
several fixes (Cisco sshd, rare hangs, error handling, etc)

v1.0.20160902

implement batch output option
implement minimum output level option
fix compatibility with Python 2.6

v1.0.20160812

implement SSH version compatibility feature
fix wrong mac algorithm warning
fix Dropbear SSH version typo
parse pre-banner header
better errors handling

v1.0.20160803

use OpenSSH 7.3 banner
add new key-exchange algorithms

v1.0.20160207

use OpenSSH 7.2 banner
additional warnings for OpenSSH 7.2
fix OpenSSH 7.0 failure messages
add rijndael-cbc failure message from OpenSSH 6.7

v1.0.20160105

multiple additional warnings
support for none algorithm
better compression handling
ensure reading enough data (fixes few Linux SSH)

v1.0.20151230

Dropbear SSH support

v1.0.20151223

initial version