I followed the Mozilla SSH guidelines[0] modern configuration, and turned out pretty good on this tool.<p>[0] <a href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH" rel="nofollow">https://wiki.mozilla.org/Security/Guidelines/OpenSSH</a>
There are a couple of strange things here.<p>It lists oakley group 14 as insecure with no justification. That's a 2048 bit diffie hellman group and it should be totally fine.<p>It also lists hmac-sha1 as problematic, although in hmac the weaknesses of sha1 are irrelevant.<p>I'm not sure about the umac 64 bit block size. That should at least have some more info why it's considered problematic.<p>Usually OpenSSH is pretty good at deprecating problematic algorithm choices, so I tend to stick with upstream defaults.
OK, I am not embarrassed to ask...<p>If I see some "weak" or "insecure" tags, what can I do about it? I have no idea how to disable MAC, key-exchange, and encryption algorithms used by the server I control. I had thought that just using SSH was "enough"<p>More importantly, if I do disable the insecure stuff, what will it break ?
Great tool - I found some weaknesses in my SSH server. After fixing them, I wanted to test it again but I can't find a refresh button...<p>EDIT: turns out you need to wait 10 minutes.
A suggestion: add simulated handshakes for various versions of OpenSSH and PuTTY to indicate which cipher/auth/kex algorithm they would negotiate with their default settings (ala the SSL Labs scanner).
Is it just me or am I the only one who is a bit hesitant to submit the public IP/hostname to some random service on the web. I'm not trying to say that the creator of this has any ill intent, but I also don't know that they aren't cataloging addresses of potentially vulnerable ssh daemons.<p>Anyway.. just to reiterate I'm not trying accuse you of anything OP. Very cool utility, nice work!
Why is this a service and not a standalone tool that I can use from my own machine?<p>Do I really want to be giving out the locations of my ssh servers to some random website?<p>Also, a standalone tool could be used behind corporate firewalls, where this service is useless.
Is this based on ssh-audit? <a href="https://github.com/arthepsy/ssh-audit" rel="nofollow">https://github.com/arthepsy/ssh-audit</a>
It appear to have problems with newer chiphers.<p>sshd[28670]: fatal: Unable to negotiate with 40.112.150.31 port 47286: no matching cipher found. Their offer: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,twofish256-ctr,twofish192-ctr,twofish128-ctr,twofish256-cbc,twofish192-cbc,twofish128-cbc,twofish-cbc [preauth]
Great tool! Though I think it much safer to control these things client side, that way no matter what you're connecting to you know you're getting safe ciphers.
On one hand, nice way to collect a database of SSH servers without triggering alarms.<p>On the other, people using this tool are more likely to take steps to secure their servers.
Ok, say I am on vacations and my laptop turned brick. The SQL crashed and I need to perform a restore.<p>What do I do if only SSH keys are allowed? So I keep my key on a USB key? How is that safe to plug in into a computer?<p>Do I go around with a USB-Linux-distro with my key on it? What if in the border an official decides to keep the USB device I was holding on to.<p>How do you manage this situation?
Just shows the following for me:<p>An error occurred
This happenned when we were trying to connect to io.r1ch.net:22.<p><a href="https://sshcheck.com/server/io.r1ch.net/" rel="nofollow">https://sshcheck.com/server/io.r1ch.net/</a>
Should this have "Show HN:" in the title? The author of the site appears to be the OP.<p><a href="https://news.ycombinator.com/showhn.html" rel="nofollow">https://news.ycombinator.com/showhn.html</a>
It'd be useful to know what this is likely to break, AFAIK I sshd doesn't log what ciphers people used, like Apache can do. A caniuse.com for SSH would be useful.
Is there a good reason to open up access to your ssh port for some service by a novelty account which could easily collect information on what version ssl sub-protocols you do and do not support?<p>Consider me paranoid but I don't like services like this unless they come from reputable sources and even then I'd much rather run something local.<p>Remember to close your port in your firewall after running the test.
Call me critical AND paranoid.. but this kind of thing should be a tool people can run locally. Not via some public service, which is probably gonna be blacklisted on plenty of RBLs.<p>However first and above all, SSH SHOULD NEVER LISTEN AND/OR RESPOND to non whitelisted ip addresses. NEVER, no exceptions.<p>Also i think it is more a promotion for the rebex site and software, not so much the ssh scan utility... based on the selected sample site, simplicity of the utility and site,<p>Server Identification: SSH-2.0-RebexSSH_1.0.0.0