#! /usr/bin/perl -w# EDW# Quick little script to rattle through a sshd_config

1. #! /usr/bin/perl -w
2. # EDW
3. # Quick little script to rattle through a sshd_config file and make recommendations
4.  
5. if ($^O eq "MSWin32") { print "Windows....really....use *nix\n"; exit; }
6.  
7. $file = "/etc/ssh/sshd_config";
8. $line="\="x50;
9.  
10. if ($#ARGV != 0) {
11. print "No paramater file supplied......"; sleep (2);
12. print "using ",$file,"\n"; sleep (1); sleep (4);
13. $ARGV[0] = $file;
14. }
15.  
16. open (SSHD, "$ARGV[0]") || die ("Couldnt open $ARGV[0]\n"); @sshd=<SSHD>;
17. system ("clear");
18.  
19. print "\nAnalysis of $ARGV[0] starting.....\n\n";
20. sleep(1); #keep the suspense going....
21. print "$line\nThe Following Issues Have Been Identified:\n$line\n";
22.  
23.  
24. $mode = (stat($ARGV[0]))[2];
25. if ($mode != 33188) {
26. printf "[-] Permissions for $ARGV[0] are %04o\n\t - they should be 0644\n", $mode & 07777;
27. }
28.  
29. $n = 0;
30. foreach (@sshd) {
31. # next if $_ =~ /^#.*/;
32. $n++;
33. print "[+] ($n) Banner Not Configured\n" if $_ =~ /^#Banner*/i;
34. $int = substr $_, -8; chomp ($int);
35. print "[+] ($n) Tunnelled Clear Text Passwords Allowed\n" if $_ =~ /PasswordAuthentication yes/i;
36. print "[+] ($n) Log Level set to default - consider VERBOSE\n" if $_ =~ /LogLevel INFO/i;
37. print "[+] ($n) Default ssh Port Number (22) Found\n" if $_ =~ /Port 22/i;
38. # if ($_ =~ /Protocol 1?/i) { print "[+] ($n) Protocol 1 Found\n";}
39. print "[+] ($n) Root Login Possible\n" if $_ =~ /PermitRootLogin yes/i;
40. print "[+] ($n) Strict Modes Set To No\n" if $_ =~ /StrictModes no/i;
41. print "[+] ($n) Empty Passwords Enabled\n" if $_ =~ /PermitEmptyPasswords yes/i;
42. print "[+] ($n) Public Key Authentication Not Enabled\n" if $_ =~ /PubkeyAuthentication no/i;
43. print "[+] ($n) X11 Forwarding Enabled\n" if $_ =~ /X11Forwarding yes/i;
44. print "[+] ($n) Message Of The Day Not Enabled\n" if $_ =~ /PrintMotd no/i;
45. print "[+] ($n) Last Log-In Not Printed To Console\n" if $_ =~ /PrintLastLog no/i;
46. print "[+] ($n) UseLogin Allowed\n" if $_ =~ /UseLogin yes/i;
47. print "[+] ($n) Host Based Authentication Enabled\n" if $_ =~ /HostBasedAuthentication yes/i;
48. print "[+] ($n) Rhosts Are Not Ignored\n" if $_ =~ /IgnoreRhosts no/i;
49. print "[+] ($n) TCPKeepAlive Not Defined\n" if $_ =~ /TCPKeepAlive no/i;
50. print "[+] ($n) Login Grace Time Set To Default Value (120 Seconds)\n" if $_ =~ /LoginGraceTime 120/i;
51. print "[+] ($n) Listener Bound To Default Value $int\n" if $_ =~ /ListenAddress 0.0.0.0/i;
52. print "[+] ($n) Using PAM\n" if $_ =~ /UsePAM yes/i;
53. if ($_ =~ m/^AcceptEnv*/i) { print "[-] ($n) Accept Environmental Variable: \n"; print "\t- $_"; }
54. }
55. print"$line\nAdvanced Checks\n$line\n";
56. @list = ("AllowUsers","MaxAuthTries","AddressFamily","ClientAliveInterval","ClientAliveCountMax","UsePrivilegeSeparation");
57.  
58. foreach $item (@list) {
59. @AU=grep(/$item/i, @sshd);
60. if ($#AU eq -1) {
61. print "[+] No $item Defined\n";
62. } else {
63. print "[-] $item Defined:\n\t- @AU";
64. }}
65.  
66. chomp ($d = `date +%H:%M:%S`);
67. print "$line\nFinished at $d - Diolch SLM a CAB!\n$line\n";