Lunar – a UNIX security auditing tool

LUNAR is a open source UNIX security auditing tool written in Shell script. It offers the audit for various operating systems like Linux (RHEL, CentOS, Debian, Ubuntu), Solaris and Mac OS with less requirements. Services like Docker and AWS are also supported.


Clone repository

# git clone
$ git clone

Download via curl

# download via curl
$ curl -L -C - -o

# extract archive
$ unzip


The use is very easy… but the outcome brings much values.

# show help
$ sh -h

# list functions
$ sh -S

# run ssh audit
$ sh -s audit_ssh_config

# run selinux audit in verbose mode
$ sh -s audit_selinux -v

# run all audits
$ sh -a

Curl via Socks5 proxy on macOS

SSH tunnel in Browsers are easy! What about curl via SSH tunnels? Yeah – it`s easy, too!


Check minimal firewall rules and SSH configuration on target host.

# ensure ssh service is enabled
$ firewall-cmd --list-services

# ensure AllowTcpForwarding is allowed
$ sshd -T | grep -i AllowTcpForwarding
allowtcpforwarding yes

Create SSH tunnel

Some basics about SSH tunnel…

# create ssh tunnel (foreground process)
$ ssh -ND localhost:9000 <user>@<host>
$ ssh -C4ND localhost:9000 <user>@<host>
$ ssh -C4ND localhost:9000 <user>@<host> -v
$ ssh -C4ND localhost:9000 <user>@<host> -p 22 -v

# create ssh tunnel (background process)
$ ssh -C4ND localhost:9000 <user>@<host> -f
  • C: use compression (level can be set in configuration file)
  • 4: forces ssh to use IPv4 only
  • N: do not execute a remote command
  • D: specifies dynamic application-level port forwarding
  • v: verbose mode
  • f: go to background before command execution
  • p: port to connect to on the remote host

Check SSH tunnel

The following examples will help you to monitor the connection to the target server.

# check ssh tunnel (local)
$ ps aux | grep ssh

# check ssh tunnel via lsof (target)
$ lsof -nPi | grep ssh

# check ssh tunnel via ss (target)
$ ss -4t

Use SSH tunnel

Now we use the tunnel via curl. With the service we can verify.

# curl for external ip (without tunnel)
$ curl

# curl for external ip
$ curl --socks5 localhost:9000

# curl for external ip (since curl v7.21.7)
$ curl -x socks5://localhost:9000

Note: There are two protocol prefixes socks5:// and socks5h://. The 2nd will let the SOCKS server handle DNS-queries.

Kill SSH tunnel

The simplest and hardest way to kill SSH tunnels (on background) is following example. But be careful it kills all ssh connections!

# kill all ssh tunnel
$ sudo killall ssh