Web-based SFTP vulnerability scan tool?

Posted by johnnydotexe@reddit | sysadmin | View on Reddit | 5 comments

Few years back I used some web-based SFTP vulnerability scan tool against a few client SFTP servers, and the tool basically applied an overall score with a breakdown of all the good/bad, like checking for known-unsafe algorithms being used, and it was free to use. This morning I'm banging my head against the wall trying to remember what that site was. Anyone have any ideas, or suggestions for an alternative?

Reply to Post

5 Comments

[-]

techvet83@reddit

Nmap can certainly scan for unsafe ciphers and protocols (see [ssl-enum-ciphers NSE script — Nmap Scripting Engine documentation](https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html) for sample output when using the ssl-enum-ciphers script).

[-]

zeusin@reddit

There is a tool called "ssh-audit". Is availabe on pypi, docker, snap... or online [https://www.ssh-audit.com/](https://www.ssh-audit.com/) Returns all the algorithms used by the server and if they are secure or not. output of pypi command is something like: "(key) ecdsa-sha2-nistp256 -- \[fail\] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency" There is also a tutorial to harden ssh systems: [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening_guides.html)

[-]

johnnydotexe@reddit (OP)

That's the site I was using some years ago, thank you!

[-]

OCTS-Toronto@reddit

If it's FTPS (as in ftp over ssl) then ssllabs.com has a test for this. But I've never heard of one for SFTP itself.

[-]

cjcox4@reddit

Maybe https://sshcheck.com/ Not an endorsement. Cloud things are often used to make "records" of what is out there.