目前在修复漏洞,通过漏扫工具扫描出的结果显示centos7.6自带的OpenSSH为7.4版本较低,存在中危漏洞需要进行修复
那目前我们就需要对openssh进行升级,这个时候作为安全考虑,建议大家多打开两个连接窗口,并且打开telnet服务,这样如果即使openssh升级失败或报错,也能先通过telnet进行连接。
-
配置Telnet服务
-
# 先关闭selinux和防火墙 setenforce 0 systemctl stop firewalld systemctl disable firewalld # 下载telnet及其依赖并修改配置文件 yum install telnet telnet-server xinetd -y cp /etc/xinetd.conf /home/data/xinetd.comf_bak sed -i '14a disabled = no ' /etc/xinetd.conf echo -e 'pts/0\npts/1\npts/2\npts/3' >>/etc/securetty # 设置服务开机自启动 systemctl start telnet.socket systemctl start xinetd systemctl enable telnet.socket systemctl enable xinetd
配置完成后使用windows自带的命令行telnet连接,检查是否正常
-
升级Openssh版本
下面是写的升级脚本,可以参考
-
#!/bin/bash ####################### # 升级openssh版本 # # 李小阳 2021/09/15 # ####################### mkdir /storage/data/ cd /storage/data/ yum install wget -y # 下载安装包并解压 wget -O openssh-8.6p1.tar.gz https://ftp.riken.jp/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz wget -O zlib-1.2.11.tar.gz https://zlib.net/zlib-1.2.11.tar.gz wget -O openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz tar -xf openssl-1.1.1j.tar.gz tar -xf zlib-1.2.11.tar.gz tar -xf openssh-8.6p1.tar.gz # 升级Zlib-及下载依赖 yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel yum install -y pam* zlib* cd /storage/data/zlib-1.2.11/ ./configure --prefix=/usr/local/zlib && make && make install # 升级openssl cd /storage/data/openssl-1.1.1j/ ./config --prefix=/usr/local/openssl -d shared && make && make install echo '/usr/local/openssl/lib' >> /etc/ld.so.conf ldconfig mv /usr/bin/openssl /storage/data/opensslbk ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl # 安装OpenSSH-8.6p1 cd /storage/data/openssh-8.6p1/ ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib && make && make install mv /etc/ssh/sshd_config /storage/data/sshd_config.bak cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config mv /usr/sbin/sshd /storage/data/sshd.bak cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd mv /usr/bin/ssh /storage/data/ssh.bak cp /usr/local/openssh/bin/ssh /usr/bin/ssh mv /usr/bin/ssh-keygen /storage/data/ssh-keygen.bak cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen mv /etc/ssh/ssh_host_ecdsa_key.pub /storage/data/ssh_host_ecdsa_key.pub.bak cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done mv /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config cp /storage/data/openssh-8.6p1/contrib/redhat/sshd.init /etc/init.d/sshd chmod u+x /etc/init.d/sshd # 修改启动的配置文件 cp /etc/init.d/sshd /storage/data/sshdnewbk sed -i '/SSHD=/c\SSHD=\/usr\/local\/openssh\/sbin\/sshd' /etc/init.d/sshd sed -i '/\/usr\/bin\/ssh-keygen/c\ \/usr\/local\/openssh\/bin\/ssh-keygen -A' /etc/init.d/sshd sed -i '/ssh_host_rsa_key.pub/i\ \/sbin\/restorecon \/etc\/ssh\/ssh_host_key.pub' /etc/init.d/sshd sed -i '/$SSHD $OPTIONS && success || failure/i\ \ OPTIONS="-f /etc/ssh/sshd_config"' /etc/rc.d/init.d/sshd # 修改sshd_config配置文件 sed -i '/PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config sed -i '/X11Forwarding/c\X11Forwarding yes' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config cp -arp /usr/local/openssh/bin/* /usr/bin/ service sshd restart # 配置开机自启动 chkconfig --add sshd chkconfig --level 2345 sshd on chkconfig --list # 删除安装包 rm -fr /storage/data
ssh -V 验证版本是否升级成功
验证完成后需要在多建立会话窗口看是否可以连接,一切正常后重启服务器,看ssh服务是否加入了开机自启动,一切没有问题后就执行下面的命令关闭telnet服务。
这个时候在用漏扫工具扫描就没有了中危漏洞。希望文章可以对您有所帮助。
# 关闭Telnet服务
systemctl stop telnet.socket
systemctl stop xinetd
systemctl disable xinetd.service
systemctl disable telnet.socket