DEPRECATED - A prototype SSH configuration and policy scanner (Blog: https://mozilla.github.io/ssh_scan/)
Перейти к файлу
dependabot[bot] 2f6fc225d3
Update bindata requirement from = 2.4.3 to = 2.4.10
Updates the requirements on [bindata](https://github.com/dmendel/bindata) to permit the latest version.
- [Release notes](https://github.com/dmendel/bindata/releases)
- [Changelog](https://github.com/dmendel/bindata/blob/master/ChangeLog.rdoc)
- [Commits](https://github.com/dmendel/bindata/compare/v2.4.3...v2.4.10)

---
updated-dependencies:
- dependency-name: bindata
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-23 21:52:43 +00:00
.github Fix build tags 2021-05-21 12:18:05 -04:00
bin Restore path setting magic 2021-05-20 10:23:47 -04:00
config/policies Add custom policy example for just etm macs 2020-01-10 09:31:49 -05:00
data Add ssh-badkey detection 2017-03-21 00:51:32 -04:00
examples Update github example and README update 2017-05-26 01:01:10 -04:00
lib Bump to 44 2021-05-20 10:41:50 -04:00
scripts Fixes a few spelling mistakes 2017-03-24 11:17:14 +00:00
spec Stop using GitHub as SSH integration test target 2021-05-21 11:26:53 -04:00
.gitignore Add Gemfile.lock and explicit upper bound on net-ssh for the time being 2018-06-27 15:23:09 -04:00
.gitmodules Migrate submodules URL to https to work in GitHub actions 2021-05-21 11:07:07 -04:00
.rspec Use proper Ruby project layout 2016-02-16 15:27:53 -05:00
.rubocop.yml rubocop: add linter and travis integration 2016-11-03 20:27:44 +05:30
.rubocop_todo.yml Clean up rubocop style exceptions 2016-12-02 14:21:36 -05:00
CODE_OF_CONDUCT.md Add Mozilla Code of Conduct file 2019-03-29 10:10:37 -07:00
CONTRIBUTING.md Contributing : Use HTTPS links 2019-04-12 12:06:52 +02:00
Dockerfile Make slight adjustments to docker strategy 2021-05-21 11:20:17 -04:00
Gemfile Add coveralls 2017-01-12 12:08:55 +05:30
Gemfile.lock Update bindata requirement from = 2.4.3 to = 2.4.10 2022-01-23 21:52:43 +00:00
LICENSE Add LICENSE 2017-04-19 22:12:42 -04:00
README.md Add deprecation notice 2022-01-10 15:04:53 -05:00
Rakefile Remove unused packaging logic 2021-05-20 13:55:45 -04:00
ssh_scan.gemspec Update bindata requirement from = 2.4.3 to = 2.4.10 2022-01-23 21:52:43 +00:00

README.md

ssh_scan

Gem Version Coverage Status

A SSH configuration and policy scanner

⚠️ Deprecation Notice ⚠️

Mozilla is no longer maintaining the Mozilla Enterprise Defense Platform (MozDef) project.

Please fork it to continue development.

Key Benefits

  • Minimal Dependencies - Uses native Ruby and BinData to do its work, no heavy dependencies.
  • Not Just a Script - Implementation is portable for use in another project or for automation of tasks.
  • Simple - Just point ssh_scan at an SSH service and get a JSON report of what it supports and its policy status.
  • Configurable - Make your own custom policies that fit your unique policy requirements.

Setup

To install and run as a gem, type:

gem install ssh_scan
ssh_scan

To run from a docker container, type:

docker pull mozilla/ssh_scan
docker run -it mozilla/ssh_scan -t sshscan.rubidus.com

To install and run from source, type:

# clone repo
git clone https://github.com/mozilla/ssh_scan.git
cd ssh_scan

gem install bundler
bundle install

./bin/ssh_scan

Example Command-Line Usage

Run ssh_scan -h to get this

ssh_scan v0.0.21 (https://github.com/mozilla/ssh_scan)

Usage: ssh_scan [options]
    -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan
    -f, --file [FilePath]            File Path of the file containing IP/Range/Hostnames to scan
    -T, --timeout [seconds]          Timeout per connect after which ssh_scan gives up on the host
    -L, --logger [Log File Path]     Enable logger
    -O, --from_json [FilePath]       File to read JSON output from
    -o, --output [FilePath]          File to write JSON output to
    -p, --port [PORT]                Port (Default: 22)
    -P, --policy [FILE]              Custom policy file (Default: Mozilla Modern)
        --threads [NUMBER]           Number of worker threads (Default: 5)
        --fingerprint-db [FILE]      File location of fingerprint database (Default: ./fingerprints.db)
        --suppress-update-status     Do not check for updates
    -u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status
    -V [STD_LOGGING_LEVEL],
        --verbosity
    -v, --version                    Display just version info
    -h, --help                       Show this message

Examples:

  ssh_scan -t 192.168.1.1
  ssh_scan -t server.example.com
  ssh_scan -t ::1
  ssh_scan -t ::1 -T 5
  ssh_scan -f hosts.txt
  ssh_scan -o output.json
  ssh_scan -O output.json -o rescan_output.json
  ssh_scan -t 192.168.1.1 -p 22222
  ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO
  ssh_scan -t 192.168.1.1 -P custom_policy.yml
  ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml

ssh_scan as a service/api?

This project is solely for ssh_scan engine/command-line usage.

If you would like to run ssh_scan as a service, please refer to the ssh_scan_api project

Rubies Supported

This project is integrated with travis-ci and is regularly tested to work with multiple rubies.

To checkout the current build status for these rubies, click here.

Contributing

If you are interested in contributing to this project, please see CONTRIBUTING.md.

Credits

Sources of Inspiration for ssh_scan

  • Mozilla OpenSSH Security Guide - For providing a sane baseline policy recommendation for SSH configuration parameters (eg. Ciphers, MACs, and KexAlgos).