SSH Auditor

Features

ssh-auditor will automatically:

Re-check all known hosts as new credentials are added. It will only check the new credentials.
Queue a full credential scan on any new host discovered.
Queue a full credential scan on any known host whose ssh version or key fingerprint changes.
Attempt command execution as well as attempt to tunnel a TCP connection.
Re-check each credential using a per credential scan_interval - default 14 days.

It's designed so that you can run ssh-auditor discover + ssh-auditor scan
from cron every hour to to perform a constant audit.

Demos

Earlier demo showing all of the features

Demo showing improved log output

Usage

Install

$ brew install go # or however you want to install the go compiler
$ go get github.com/ncsa/ssh-auditor

or Build from a git clone

$ go build

Build a static binary including sqlite

$ make static

Ensure you can use enough file descriptors

$ ulimit -n 4096

Create initial database and discover ssh servers

$ ./ssh-auditor discover -p 22 -p 2222 192.168.1.0/24 10.0.0.1/24

Add credential pairs to check

$ ./ssh-auditor addcredential root root
$ ./ssh-auditor addcredential admin admin
$ ./ssh-auditor addcredential guest guest --scan-interval 1 #check this once per day

Try credentials against discovered hosts in a batch of 20000

$ ./ssh-auditor scan

Output a report on what credentials worked

$ ./ssh-auditor vuln

RE-Check credentials that worked

$ ./ssh-auditor rescan

Output a report on duplicate key usage

$ ./ssh-auditor dupes

TODO

update the 'host changes' table
handle false positives from devices that don't use ssh password authentication but instead use the shell to do it.
variable re-check times - each credential has a scan_interval in days
better support non-standard ports - discover is the only thing that needs to be updated, the rest doesn't care.
possibly daemonize and add an api that bro could hook into to kick off a discover as soon as a new SSH server is detected.
make the store pluggable (mysql, postgresql).
differentiate between a failed password attempt and a failed connection or timeout. Mostly done. Things like fail2ban complicate this.
add go implementations for the report sqlite3 command.

Report query.

This query that ssh-auditor vuln runs is

select
        hc.hostport, hc.user, hc.password, hc.result, hc.last_tested, h.version
 from
        host_creds hc, hosts h
 where
        h.hostport = hc.hostport
 and    result!='' order by last_tested asc

Name With Owner	ncsa/ssh-auditor
Primary Language	Go
Program language	Go (Language Count: 3)
Platform
License:	Other

Created At	2016-11-08 22:47:38
Pushed At	2023-12-18 21:46:18
Last Commit At	2021-06-23 20:39:29
Release Count	17
Last Release Name	v0.18 (Posted on )
First Release Name	v0.2 (Posted on )

Stargazers Count	611
Watchers Count	26
Fork Count	84
Commits Count	185
Has Issues Enabled
Issues Count	9
Issue Open Count	3
Pull Requests Count	2
Pull Requests Open Count	2
Pull Requests Close Count	1

Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private

ssh-auditor

Github stars Tracking Chart