背景描述
近期對100多台服務器進行漏洞掃描,發現都有一個中危漏洞,openssh漏洞。該漏洞在openssh7.8版本以下都有該問題。故采用更新openssh版本進而修復漏洞。由於服務器過多,不可能每一台都去手動源碼編譯安裝,故采用腳本方式,再通過ansible進行批量更新。
補充:通過yum安裝openssh8.x版本
這里服務器操作系統均為CentOS7.x系列
漏洞描述:
國家漏洞庫編號:CNNVD-201808-902
CNCVE編號:CNCVE-201815919
CVE編號:CVE-2018-15919
漏洞描述:OpenSSH(OpenBSD Secure Shell)是OpenBSD計划組所維護的一套用於安全訪問遠程計算機的連接工具。該工具是SSH協議的開源實現,支持對所有的傳輸進行加密,可有效阻止竊聽、連接劫持以及其他網絡級的攻擊。OpenSSH 7.8及之前版本中的auth-gss2.c文件存在安全漏洞。遠程攻擊者可利用該漏洞檢測其指定的用戶是否存在。
編寫腳本
該腳本只支持
CentOS7.x系列
openssh-update.sh
#!/bin/bash
# @Time :2020/8/5 22:06
# @Auther :yanjie.li
# @Email :381347268@qq.com
# @File :openssh-update.sh
# @Desc :修復openssh7.8版本以下的漏洞,升級openssh版本為8.2版本。
echo
echo -e "\033[40;31;1m*** 安裝完成后請勿立即退出當前終端(斷開連接),先新開終端進行連接測試ok后再關閉該終端 ***\033[0m"
echo
echo "即將升級openssh"
sleep 10
# Check if user is root
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script!!"
exit 1
fi
base_dir=`pwd`
#下載安裝包:
openssh="openssh-8.2p1"
openssl="openssl-1.1.1f"
#Download the installation package
function download(){
if [ ! -f ${openssh}.tar.gz ];then
wget -c https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/${openssh}.tar.gz
else
echo 'Skipping: openssh already downloaded'
fi
if [ ! -f ${openssl}.tar.gz ];then
wget -c wget https://ftp.openssl.org/source/old/1.1.1/${openssl}.tar.gz
else
echo 'Skipping: openssl already downloaded'
fi
}
#安裝依賴包
function install_relyon(){
yum install -y telnet-server xinetd
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
yum install -y pam* zlib*
systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd.service
echo -e 'pts/0\npts/1\npts/2\npts/3' >>/etc/securetty
systemctl restart xinetd.service
echo "telnet 啟動成功"
sleep 3
echo "########################################################"
}
#備份ssh
function back_ssh(){
mkdir /tmp/ssh_backup/
cp /root/.ssh/authorized_keys /tmp/ssh_backup/
cp -r /etc/ssh/ /tmp/ssh_backup/
}
#安裝openssl
function install_openssl(){
tar xfz ${base_dir}/openssl-1.1.1f.tar.gz
echo "備份OpenSSL..."
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
mv /usr/lib64/libssl.so /usr/lib64/libssl.so.bak
echo "開始安裝OpenSSL..."
sleep 3
cd ${base_dir}/openssl-1.1.1f
./config shared --prefix=/usr/local/openssl && make -j 4 && make install -j 4
ln -fs /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -fs /usr/local/openssl/include/openssl /usr/include/openssl
ln -fs /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so
echo "加載動態庫..."
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
/sbin/ldconfig
echo "查看確認版本。。。"
openssl version
echo "OpenSSL 升級完成..."
}
#安裝openssh
function install_openssh(){
echo "開始升級OPENSSH。。。。。"
sleep 5
cd ${base_dir}
/usr/bin/tar -zxvf ${base_dir}/openssh-8.2p1.tar.gz
cd ${base_dir}/openssh-8.2p1
chown -R root.root ${base_dir}/openssh-8.2p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/openssl/include \
--with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam && make -j 4 && make install -j 4
[ $? -eq 0 ] && echo "openssh 升級成功..."
cd ${base_dir}/openssh-8.2p1
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
}
# 配置ssh
function config_ssh(){
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
systemctl enable sshd
[ $? -eq 0 ] && echo "sshd服務添加為啟動項 ..."
mv /usr/lib/systemd/system/sshd.service /tmp/
#允許root遠程登陸
sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config
#chkconfig sshd on
systemctl enable sshd
systemctl restart sshd.service
netstat -lntp
echo "查看SSH版本信息。。。"
ssh -V
sleep 3
echo "telnet服務關閉..."
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
echo "查看ssh服務"
netstat -lntp
echo "OpenSSH 版本升級為8.2................"
sleep 3
}
function main(){
download
install_relyon
back_ssh
install_openssl
install_openssh
config_ssh
exit
}
main
連接服務器執行腳本
# bash openssh-update.sh