Skip to main content

SSH

License Apache-2.0GitHub release (latest SemVer)OWASP Incubator ProjectArtifact HUBGitHub Repo starsTwitter Follower

What is SSH_scan?#

SSH_scan is an easy-to-use prototype SSH configuration and policy scanner, inspired by Mozilla OpenSSH Security Guide, which provides a reasonable baseline policy recommendation for SSH configuration parameters such as Ciphers, MACs, and KexAlgos and much more.

To learn more about the ssh_scan scanner itself visit ssh_scan GitHub.

Deployment#

The ssh-scan chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)helm upgrade --install ssh-scan secureCodeBox/ssh-scan

Scanner Configuration#

The following security scan configuration example are based on the ssh_scan Documentation, please take a look at the original documentation for more configuration examples.

ssh_scan v0.0.21 (https://github.com/mozilla/ssh_scan)
Usage: ssh_scan [options]    -t, --target [IP/Range/Hostname] IP/Ranges/Hostname to scan    -f, --file [FilePath]            File Path of the file containing IP/Range/Hostnames to scan    -T, --timeout [seconds]          Timeout per connect after which ssh_scan gives up on the host    -L, --logger [Log File Path]     Enable logger    -O, --from_json [FilePath]       File to read JSON output from    -o, --output [FilePath]          File to write JSON output to    -p, --port [PORT]                Port (Default: 22)    -P, --policy [FILE]              Custom policy file (Default: Mozilla Modern)        --threads [NUMBER]           Number of worker threads (Default: 5)        --fingerprint-db [FILE]      File location of fingerprint database (Default: ./fingerprints.db)        --suppress-update-status     Do not check for updates    -u, --unit-test [FILE]           Throw appropriate exit codes based on compliance status    -V [STD_LOGGING_LEVEL],        --verbosity    -v, --version                    Display just version info    -h, --help                       Show this message
Examples:
  ssh_scan -t 192.168.1.1  ssh_scan -t server.example.com  ssh_scan -t ::1  ssh_scan -t ::1 -T 5  ssh_scan -f hosts.txt  ssh_scan -o output.json  ssh_scan -O output.json -o rescan_output.json  ssh_scan -t 192.168.1.1 -p 22222  ssh_scan -t 192.168.1.1 -p 22222 -L output.log -V INFO  ssh_scan -t 192.168.1.1 -P custom_policy.yml  ssh_scan -t 192.168.1.1 --unit-test -P custom_policy.yml

Requirements#

Kubernetes: >=v1.11.0-0

Values#

KeyTypeDefaultDescription
cascadingRules.enabledbooltrueEnables or disables the installation of the default cascading rules for this scanner
parser.envlist[]Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
parser.image.pullPolicystring"IfNotPresent"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
parser.image.repositorystring"docker.io/securecodebox/parser-ssh-scan"Parser image repository
parser.image.tagstringdefaults to the charts versionParser image tag
parser.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
scanner.activeDeadlineSecondsstringnilThere are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup)
scanner.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
scanner.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scanner.extraContainerslist[]Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scanner.extraVolumeMountslist[]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.extraVolumeslist[]Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.image.pullPolicystring"IfNotPresent"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
scanner.image.repositorystring"mozilla/ssh_scan"Container Image to run the scan
scanner.image.tagstring"latest@sha256:d6f41c2c328223931b97a4ae5d35d3bb91b5c8d91871ced3d2e0cde06b1edf1f"defaults to the charts appVersion
scanner.nameAppendstringnilappend a string to the default scantype name.
scanner.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scanner.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.securityContext.allowPrivilegeEscalationboolfalseEnsure that users privileges cannot be escalated
scanner.securityContext.capabilities.drop[0]string"all"This drops all linux privileges from the container.
scanner.securityContext.privilegedboolfalseEnsures that the scanner container is not run in privileged mode
scanner.securityContext.readOnlyRootFilesystemboolfalsePrevents write access to the containers file system
scanner.securityContext.runAsNonRootboolfalseEnforces that the scanner image is run as a non root user
scanner.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/

License#

License

Code of secureCodeBox is licensed under the Apache License 2.0.

Examples#

demo-app-ssh#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "ssh-ssh-demo-cluster-internal"spec:  scanType: "ssh-scan"  parameters:    - "-t"    - "dummy-ssh.demo-targets.svc"

example.com#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "ssh-www.example.com"  labels:    company: examplespec:  scanType: "ssh-scan"  parameters:    - "-t"    - www.example.com    - "-p"    - "22222"

localhost#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "ssh-localhost"  labels:    company: localhostspec:  scanType: "ssh-scan"  parameters:    - "-t"    - localhost