Skip to main content

ssh-audit

The ssh-audit tool is designed for comprehensive auditing of SSH server and client configurations within automated security workflows. By analyzing configurations, algorithms, and potential vulnerabilities, it enhances the security posture of SSH communications effectively.

Ideal Use Cases & Fit

This tool excels in scenarios where organizations need to assess the security configurations of SSH access points. It is particularly useful for:

  • Performing regular security checks on SSH servers to identify outdated algorithms and configurations.
  • Validating SSH deployment against industry best practices or compliance policies.
  • Conducting vulnerability assessments during the reconnaissance phase of an engagement. However, it may not be suitable for scanning non-SSH protocols or environments with non-standard SSH configurations.

Value in Workflows

Integrating ssh-audit into security workflows provides significant value by enabling rapid identification of security weaknesses in SSH implementations at the early reconnaissance stage. It facilitates quick turnaround in the discovery phase and serves as a foundational tool for deeper security assessments. Its outputs can also feed into post-processing stages for comprehensive reporting and remediation planning.

Input Data

The tool accepts input in the form of a file containing newline-separated SSH target entries, formatted as host[:port]. This allows for dynamic scanning of multiple targets in a single run. An example input might look like:

192.168.1.10:22

192.168.1.11

ssh.example.com:2222

The input file is required for executing the tool.

Configuration

  • port: Specifies the default TCP port for targets that do not have an explicit port defined (default is 22).
  • timeout: Sets the timeout value in seconds for connection attempts and read operations (default is 5).
  • policy: Defines a built-in policy for auditing or a path to a custom policy file, enabling tailored compliance checks.
  • ipv4: Controls enablement of IPv4 during the scan (default is false).
  • ipv6: Controls enablement of IPv6 during the scan (default is false).

These configuration parameters allow for a flexible setup of the tool to meet various auditing requirements and network environments.