본문 바로가기
[IT 관련 지식]/[Security]

ssh 보안 점검툴 ssh-audit

by 판톰 2021. 1. 24.
반응형

ssh 보안 점검툴 ssh-audit

Dropbear ,  openssh 의 취약점 점검 툴 입니다.

ssh의 경우 cipher , key, MAC 알고리즘  관련 취약점 보고가 간혹 있어, 서버 상에 동작되는 ssh 서버데몬의 cipher , key, MAC 알고리즘 설정 현황 및 버전에 대한 취약점을 간단하게 확인 할수 있는 점검 툴 입니다. 

 

1.우분투에 다음과 같이 git clone 수행
sudo apt-get install git
git clone https://github.com/arthepsy/ssh-audit.git 

 

arthepsy/ssh-audit

SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) - arthepsy/ssh-audit

github.com

 

 

2.cd ssh-audit 디렉토리 이동.

 

3. 테스트 방법
python ssh-audit.py A.B.C.D:PortNumber

 

4.점검 툴 수행 결과

ubuntu@ubuntu-VirtualBox:~/ssh-audit$ python ssh-audit.py 10.101.10.253:22
general
(gen) banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
(gen) software: OpenSSH 7.2p2
(gen) compatibility: OpenSSH 7.2+, Dropbear SSH 2013.62+
(gen) compression: enabled (zlib@openssh.com)

key exchange algorithms

(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves

  • [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves
  • [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)- [info] available since OpenSSH 4.4
    (kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm
    `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53

host-key algorithms

(key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves

  • [warn] using weak random number generator could reveal the key- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ssh-ed25519 -- [info] available since OpenSSH 6.5

encryption algorithms (ciphers)

(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2

message authentication code algorithms

(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size

  • [info] available since OpenSSH 6.2 (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm@openssh.com -- [warn] using weak hashing algorithm- [info] available since OpenSSH 6.2
    (mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
  • [warn] using small 64-bit tag size- [info] available since OpenSSH 4.7
    (mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
  • [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
    (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
  • [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode- [warn] using weak hashing algorithm
    `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28

algorithm recommendations (for OpenSSH 7.2)

(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -umac-128@openssh.com -- mac algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -umac-64@openssh.com -- mac algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com -- mac algorithm to remove

 

 

 해당 툴로는  Dropbear ,  openssh 보안 점검 수행 가능 합니다.

 nmap의 경의 openssh 만 지원.

반응형
저작자표시 동일조건

'[IT 관련 지식] > [Security]' 카테고리의 다른 글

ssh 보안 취약점 점검 Nmap  (0) 2021.01.25
TMS / ESM  (0) 2014.09.03
SSH Brute-force 공격  (0) 2014.09.01
iptables 시간 정책  (0) 2014.08.16
패킷 생성툴 NPING  (0) 2014.05.14

관련글

티스토리툴바