Ensure your SSH server is secure with SSH Check
SSH servers are a very different story, however. While I've blogged about them before, I mainly focused on preventing unauthorised access to a server by methods such as password cracking attacks.
Now that I'm coming to the end of my Msc in Security and Distributed Computing, however, I've realised there's a crucial element missing here: the security of the connection itself. HTTPS isn't the only one with complicated cipher suites that it supports that need correctly configuring.
The solution here is to check the SSH server in the same way that we do for a HTTPS web server. For this though we need a tool to do this for us and tell us what's good and what's not about our configuration - which is where SSH Check comes in.
I discovered it recently, and it pretends to connect to an SSH server to gauge it's configuration - after which it quickly disconnects before the remote server asks it for credentials to login.
Because SSH allows for every stage of the encryption process to be configured individually, SSH Check tests 4 main areas:
- The key exchange algorithm (the algorithm used to exchange the secret key for symmetric encryption going forwards)
- The algorithms used in the server's host SSH keys (the key whose ID is shown to you when you connect asking you if you want to continue)
- The encryption algorithm (the symmetrical encryption algorithm used after key exchange)
- The MAC algorithm (the Message Authentication Code algorithm - used to ensure integrity of messages)
It displays whether each algorithm is considered safe or not, and which ones are widely considered to be either deprecated or contain backdoors. In addition, it also displays the technical names of each one so that you can easily reconfigure your SSH server to disable unsafe algorithms, which is nice (good luck deciphering the SSL Labs encryption algorithms list and matching it up to the list already configured in your web server......).
It also presents a bunch of other interesting information too, which is nice. It identified a number of potential issues with the way that I had SSH setup for starbeamrainbowlabs.com along with some suggested improvements, which I've now fixed.
If you have a server that you access via SSH, I recommend checking it with SSH Check - especially if you expose SSH publicly over the Internet.
Found this interesting? Got another testing tool you'd like to share? Comment below!