Created
August 25, 2016 10:18
-
-
Save llandeilocymro/21b05e841ceb73d8c2ec7bfa0f168692 to your computer and use it in GitHub Desktop.
Quick little script to rattle through a sshd_config file and make recommendations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/perl -w | |
# EDW | |
# Quick little script to rattle through a sshd_config file and make recommendations | |
if ($^O eq "MSWin32") { print "Windows....really....use *nix\n"; exit; } | |
$file = "/etc/ssh/sshd_config"; | |
$line="\="x50; | |
if ($#ARGV != 0) { | |
print "No paramater file supplied......"; sleep (2); | |
print "using ",$file,"\n"; sleep (1); sleep (4); | |
$ARGV[0] = $file; | |
} | |
open (SSHD, "$ARGV[0]") || die ("Couldnt open $ARGV[0]\n"); @sshd=<SSHD>; | |
system ("clear"); | |
print "\nAnalysis of $ARGV[0] starting.....\n\n"; | |
sleep(1); #keep the suspense going.... | |
print "$line\nThe Following Issues Have Been Identified:\n$line\n"; | |
$mode = (stat($ARGV[0]))[2]; | |
if ($mode != 33188) { | |
printf "[-] Permissions for $ARGV[0] are %04o\n\t - they should be 0644\n", $mode & 07777; | |
} | |
$n = 0; | |
foreach (@sshd) { | |
# next if $_ =~ /^#.*/; | |
$n++; | |
print "[+] ($n) Banner Not Configured\n" if $_ =~ /^#Banner*/i; | |
$int = substr $_, -8; chomp ($int); | |
print "[+] ($n) Tunnelled Clear Text Passwords Allowed\n" if $_ =~ /PasswordAuthentication yes/i; | |
print "[+] ($n) Log Level set to default - consider VERBOSE\n" if $_ =~ /LogLevel INFO/i; | |
print "[+] ($n) Default ssh Port Number (22) Found\n" if $_ =~ /Port 22/i; | |
# if ($_ =~ /Protocol 1?/i) { print "[+] ($n) Protocol 1 Found\n";} | |
print "[+] ($n) Root Login Possible\n" if $_ =~ /PermitRootLogin yes/i; | |
print "[+] ($n) Strict Modes Set To No\n" if $_ =~ /StrictModes no/i; | |
print "[+] ($n) Empty Passwords Enabled\n" if $_ =~ /PermitEmptyPasswords yes/i; | |
print "[+] ($n) Public Key Authentication Not Enabled\n" if $_ =~ /PubkeyAuthentication no/i; | |
print "[+] ($n) X11 Forwarding Enabled\n" if $_ =~ /X11Forwarding yes/i; | |
print "[+] ($n) Message Of The Day Not Enabled\n" if $_ =~ /PrintMotd no/i; | |
print "[+] ($n) Last Log-In Not Printed To Console\n" if $_ =~ /PrintLastLog no/i; | |
print "[+] ($n) UseLogin Allowed\n" if $_ =~ /UseLogin yes/i; | |
print "[+] ($n) Host Based Authentication Enabled\n" if $_ =~ /HostBasedAuthentication yes/i; | |
print "[+] ($n) Rhosts Are Not Ignored\n" if $_ =~ /IgnoreRhosts no/i; | |
print "[+] ($n) TCPKeepAlive Not Defined\n" if $_ =~ /TCPKeepAlive no/i; | |
print "[+] ($n) Login Grace Time Set To Default Value (120 Seconds)\n" if $_ =~ /LoginGraceTime 120/i; | |
print "[+] ($n) Listener Bound To Default Value $int\n" if $_ =~ /ListenAddress 0.0.0.0/i; | |
print "[+] ($n) Using PAM\n" if $_ =~ /UsePAM yes/i; | |
if ($_ =~ m/^AcceptEnv*/i) { print "[-] ($n) Accept Environmental Variable: \n"; print "\t- $_"; } | |
} | |
print"$line\nAdvanced Checks\n$line\n"; | |
@list = ("AllowUsers","MaxAuthTries","AddressFamily","ClientAliveInterval","ClientAliveCountMax","UsePrivilegeSeparation"); | |
foreach $item (@list) { | |
@AU=grep(/$item/i, @sshd); | |
if ($#AU eq -1) { | |
print "[+] No $item Defined\n"; | |
} else { | |
print "[-] $item Defined:\n\t- @AU"; | |
}} | |
chomp ($d = `date +%H:%M:%S`); | |
print "$line\nFinished at $d - Diolch SLM a CAB!\n$line\n"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment