llandeilocymro/sshdcheck.pl

## sshdcheck.pl
#! /usr/bin/perl -w
# EDW
# Quick little script to rattle through a sshd_config file and make recommendations

if ($^O eq "MSWin32") { print "Windows....really....use *nix\n"; exit; }

$file = "/etc/ssh/sshd_config";
$line="\="x50;

if ($#ARGV != 0) {
 print "No paramater file supplied......"; sleep (2);
 print "using ",$file,"\n"; sleep (1); sleep (4);
 $ARGV[0] = $file;
}

open (SSHD, "$ARGV[0]") || die ("Couldnt open $ARGV[0]\n"); @sshd=<SSHD>;
system ("clear");

print "\nAnalysis of $ARGV[0] starting.....\n\n";
sleep(1); #keep the suspense going....
print "$line\nThe Following Issues Have Been Identified:\n$line\n";


$mode = (stat($ARGV[0]))[2];
if ($mode != 33188) {
 printf "[-] Permissions for $ARGV[0] are %04o\n\t - they should be 0644\n", $mode & 07777;
}

$n = 0;
foreach (@sshd) {
#  next if $_ =~ /^#.*/;
  $n++;
  print "[+] ($n) Banner Not Configured\n" if $_ =~ /^#Banner*/i;
  $int = substr $_, -8; chomp ($int);
  print "[+] ($n) Tunnelled Clear Text Passwords Allowed\n" if $_ =~ /PasswordAuthentication yes/i;
  print "[+] ($n) Log Level set to default - consider VERBOSE\n" if $_ =~ /LogLevel INFO/i;
  print "[+] ($n) Default ssh Port Number (22) Found\n" if $_ =~ /Port 22/i;
#  if ($_ =~ /Protocol 1?/i) { print "[+] ($n) Protocol 1 Found\n";}
  print "[+] ($n) Root Login Possible\n" if $_ =~ /PermitRootLogin yes/i;
  print "[+] ($n) Strict Modes Set To No\n" if $_ =~ /StrictModes no/i;
  print "[+] ($n) Empty Passwords Enabled\n" if $_ =~ /PermitEmptyPasswords yes/i;
  print "[+] ($n) Public Key Authentication Not Enabled\n" if $_ =~ /PubkeyAuthentication no/i;
  print "[+] ($n) X11 Forwarding Enabled\n" if $_ =~ /X11Forwarding yes/i;
  print "[+] ($n) Message Of The Day Not Enabled\n" if $_ =~ /PrintMotd no/i;
  print "[+] ($n) Last Log-In Not Printed To Console\n" if $_ =~ /PrintLastLog no/i;
  print "[+] ($n) UseLogin Allowed\n" if $_ =~ /UseLogin yes/i;
  print "[+] ($n) Host Based Authentication Enabled\n" if $_ =~ /HostBasedAuthentication yes/i;
  print "[+] ($n) Rhosts Are Not Ignored\n" if $_ =~ /IgnoreRhosts no/i;
  print "[+] ($n) TCPKeepAlive Not Defined\n" if $_ =~ /TCPKeepAlive no/i;
  print "[+] ($n) Login Grace Time Set To Default Value (120 Seconds)\n" if $_ =~ /LoginGraceTime 120/i;
  print "[+] ($n) Listener Bound To Default Value $int\n" if $_ =~ /ListenAddress 0.0.0.0/i;
  print "[+] ($n) Using PAM\n" if $_ =~ /UsePAM yes/i;
  if ($_ =~ m/^AcceptEnv*/i) { print "[-] ($n) Accept Environmental Variable: \n"; print "\t- $_"; }
}
print"$line\nAdvanced Checks\n$line\n";
@list = ("AllowUsers","MaxAuthTries","AddressFamily","ClientAliveInterval","ClientAliveCountMax","UsePrivilegeSeparation");

foreach $item (@list) {
  @AU=grep(/$item/i, @sshd);
  if ($#AU eq -1) {
    print "[+] No $item Defined\n";
  } else {
    print "[-] $item Defined:\n\t- @AU";
}}

chomp ($d = `date +%H:%M:%S`);
print "$line\nFinished at $d - Diolch SLM a CAB!\n$line\n";
	#! /usr/bin/perl -w
	# EDW
	# Quick little script to rattle through a sshd_config file and make recommendations

	if ($^O eq "MSWin32") { print "Windows....really....use *nix\n"; exit; }

	$file = "/etc/ssh/sshd_config";
	$line="\="x50;

	if ($#ARGV != 0) {
	print "No paramater file supplied......"; sleep (2);
	print "using ",$file,"\n"; sleep (1); sleep (4);
	$ARGV[0] = $file;
	}

	open (SSHD, "$ARGV[0]") \|\| die ("Couldnt open $ARGV[0]\n"); @sshd=<SSHD>;
	system ("clear");

	print "\nAnalysis of $ARGV[0] starting.....\n\n";
	sleep(1); #keep the suspense going....
	print "$line\nThe Following Issues Have Been Identified:\n$line\n";


	$mode = (stat($ARGV[0]))[2];
	if ($mode != 33188) {
	printf "[-] Permissions for $ARGV[0] are %04o\n\t - they should be 0644\n", $mode & 07777;
	}

	$n = 0;
	foreach (@sshd) {
	# next if $_ =~ /^#.*/;
	$n++;
	print "[+] ($n) Banner Not Configured\n" if $_ =~ /^#Banner*/i;
	$int = substr $_, -8; chomp ($int);
	print "[+] ($n) Tunnelled Clear Text Passwords Allowed\n" if $_ =~ /PasswordAuthentication yes/i;
	print "[+] ($n) Log Level set to default - consider VERBOSE\n" if $_ =~ /LogLevel INFO/i;
	print "[+] ($n) Default ssh Port Number (22) Found\n" if $_ =~ /Port 22/i;
	# if ($_ =~ /Protocol 1?/i) { print "[+] ($n) Protocol 1 Found\n";}
	print "[+] ($n) Root Login Possible\n" if $_ =~ /PermitRootLogin yes/i;
	print "[+] ($n) Strict Modes Set To No\n" if $_ =~ /StrictModes no/i;
	print "[+] ($n) Empty Passwords Enabled\n" if $_ =~ /PermitEmptyPasswords yes/i;
	print "[+] ($n) Public Key Authentication Not Enabled\n" if $_ =~ /PubkeyAuthentication no/i;
	print "[+] ($n) X11 Forwarding Enabled\n" if $_ =~ /X11Forwarding yes/i;
	print "[+] ($n) Message Of The Day Not Enabled\n" if $_ =~ /PrintMotd no/i;
	print "[+] ($n) Last Log-In Not Printed To Console\n" if $_ =~ /PrintLastLog no/i;
	print "[+] ($n) UseLogin Allowed\n" if $_ =~ /UseLogin yes/i;
	print "[+] ($n) Host Based Authentication Enabled\n" if $_ =~ /HostBasedAuthentication yes/i;
	print "[+] ($n) Rhosts Are Not Ignored\n" if $_ =~ /IgnoreRhosts no/i;
	print "[+] ($n) TCPKeepAlive Not Defined\n" if $_ =~ /TCPKeepAlive no/i;
	print "[+] ($n) Login Grace Time Set To Default Value (120 Seconds)\n" if $_ =~ /LoginGraceTime 120/i;
	print "[+] ($n) Listener Bound To Default Value $int\n" if $_ =~ /ListenAddress 0.0.0.0/i;
	print "[+] ($n) Using PAM\n" if $_ =~ /UsePAM yes/i;
	if ($_ =~ m/^AcceptEnv*/i) { print "[-] ($n) Accept Environmental Variable: \n"; print "\t- $_"; }
	}
	print"$line\nAdvanced Checks\n$line\n";
	@list = ("AllowUsers","MaxAuthTries","AddressFamily","ClientAliveInterval","ClientAliveCountMax","UsePrivilegeSeparation");

	foreach $item (@list) {
	@AU=grep(/$item/i, @sshd);
	if ($#AU eq -1) {
	print "[+] No $item Defined\n";
	} else {
	print "[-] $item Defined:\n\t- @AU";
	}}

	chomp ($d = `date +%H:%M:%S`);
	print "$line\nFinished at $d - Diolch SLM a CAB!\n$line\n";