Scan Your SSH Server in 5 Minutes
Just rented a new VPS or managing a cluster that’s been running for a year? Don’t blindly trust default provider configurations. In reality, many Linux distributions still enable legacy algorithms for compatibility, unknowingly creating security holes for attackers to exploit.
Installing ssh-audit on Ubuntu/Debian takes only a few seconds:
sudo apt update
sudo apt install ssh-audit -yIf you’re on a Mac or want the latest version via Python pip:
pip3 install ssh-auditNow, run a quick check (replace IP with your server address):
ssh-audit 1.2.3.4The output will show three distinct colors: Green (Safe), Yellow (Warning), and Red (Critical). If you see a “blood-red” list under Ciphers or MACs, your server needs immediate attention.
Why Default Configurations Are Often… Not Okay
Many admins wonder why Ubuntu or CentOS keep weak algorithms. The sole reason is compatibility. They want to ensure clients from a decade ago can still connect. However, in today’s environment where botnets scan port 22 thousands of times daily, this compromise is extremely risky.
During a recent system audit for a client, I discovered a server still using diffie-hellman-group1-sha1. This “prehistoric” algorithm is easily broken or vulnerable to downgrade attacks even with mid-range hardware. ssh-audit exposes vulnerabilities like Terrapin (CVE-2023-48795) that are invisible to the naked eye in config files.
Decoding ssh-audit Components
This tool focuses on analyzing 4 core security layers:
- Host Keys: Server identification. Prioritize
ed25519orrsa-sha2-512. If you seessh-rsa(which uses SHA-1), remove it immediately. - Key Exchange (KEX): How both parties agree on a secret key.
curve25519-sha256is currently the undisputed choice for speed and security. - Ciphers: The data encryption layer. You should only use
chacha20-poly1305oraes-gcm. - MACs: Ensures data integrity during transmission.
Reading the Report: Beyond Just Colors
The biggest advantage of ssh-audit is the Recommendations section at the end of the scan. Instead of just dry error reports, it provides “step-by-step” guidance by listing the exact lines to copy and paste. You’ll save at least 30 minutes of manual documentation research.
Optimizing SSH Configuration to “Fortress” Standards
Once you’ve identified the weaknesses, start tightening security. Open the main configuration file with:
sudo nano /etc/ssh/sshd_configBelow is a modern configuration template I typically apply. It completely removes outdated algorithms and keeps only the strongest ones:
# High-security Key Exchange
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
# Modern encryption algorithms to prevent Terrapin attacks
Ciphers [email protected],[email protected],[email protected]
# Strong data authentication (EtM)
MACs [email protected],[email protected],[email protected]
# Secure Host Key algorithms
HostKeyAlgorithms ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256Before restarting, check for any syntax errors:
sudo sshd -t
sudo systemctl restart sshWarning: Ensure your SSH client (like the latest PuTTY or Termius) supports these algorithms. If you use an outdated version, you might lock yourself out of your server immediately!
Best Practices for a Secure Server
If you haven’t set up SSH Keys yet, use the password generation tool at toolcraft.app/en/tools/security/password-generator. This tool runs entirely in your browser, ensuring complex passwords are never exposed over the network.
Besides hardening algorithms, you should apply 3 small but highly effective tips:
- Change the default SSH port: Moving from port 22 to a random number (e.g., 2289) helps evade up to 90% of automated botnet scans.
- Disable Passwords: Switch to SSH Keys and disable
PasswordAuthentication. This is the strongest barrier against brute-force attacks. - Restrict Access IPs: If you have a static IP, use a Firewall (UFW) to only allow yourself to “knock on the door.”
Security is a continuous journey, not a one-time task. Every time you update your system, take a minute to rerun ssh-audit to ensure everything is still under control. Good luck building a rock-solid system!
