CentOS7升級OpenSSH_8.6p1

目前在修復漏洞，通過漏掃工具掃描出的結果顯示centos7.6自帶的OpenSSH為7.4版本較低，存在中危漏洞需要進行修復

那目前我們就需要對openssh進行升級，這個時候作為安全考慮，建議大家多打開兩個連接窗口，並且打開telnet服務，這樣如果即使openssh升級失敗或報錯，也能先通過telnet進行連接。

• 配置Telnet服務

---

• # 先關閉selinux和防火牆
  setenforce 0                      
  systemctl stop firewalld         
  systemctl disable firewalld
  
  # 下載telnet及其依賴並修改配置文件
  yum install telnet telnet-server xinetd -y
  cp /etc/xinetd.conf   /home/data/xinetd.comf_bak
  sed -i '14a      disabled = no ' /etc/xinetd.conf          
  echo -e 'pts/0\npts/1\npts/2\npts/3'  >>/etc/securetty
  
  # 設置服務開機自啟動
  systemctl start telnet.socket
  systemctl start xinetd
  systemctl enable telnet.socket
  systemctl enable xinetd

配置完成后使用windows自帶的命令行telnet連接，檢查是否正常

---

 

• 升級Openssh版本

  下面是寫的升級腳本，可以參考

   

• #!/bin/bash
  #######################
  #   升級openssh版本   #
  #  李小陽 2021/09/15  #
  #######################
  
  mkdir /storage/data/
  cd /storage/data/
  yum install wget -y
  
  # 下載安裝包並解壓
  wget -O openssh-8.6p1.tar.gz https://ftp.riken.jp/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
  wget -O zlib-1.2.11.tar.gz https://zlib.net/zlib-1.2.11.tar.gz
  wget -O openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz
  tar -xf openssl-1.1.1j.tar.gz
  tar -xf zlib-1.2.11.tar.gz
  tar -xf openssh-8.6p1.tar.gz
  
  # 升級Zlib-及下載依賴
  yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel
  yum install  -y pam* zlib*
  cd /storage/data/zlib-1.2.11/
  ./configure --prefix=/usr/local/zlib && make && make install
  
  # 升級openssl
  cd /storage/data/openssl-1.1.1j/
  ./config --prefix=/usr/local/openssl -d shared && make && make install 
  echo '/usr/local/openssl/lib' >> /etc/ld.so.conf
  ldconfig
  mv /usr/bin/openssl /storage/data/opensslbk
  ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
  
  
  # 安裝OpenSSH-8.6p1
  cd /storage/data/openssh-8.6p1/
  ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib && make && make install
  
  mv /etc/ssh/sshd_config /storage/data/sshd_config.bak
  cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
  mv /usr/sbin/sshd /storage/data/sshd.bak
  cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
  mv /usr/bin/ssh /storage/data/ssh.bak
  cp /usr/local/openssh/bin/ssh /usr/bin/ssh
  mv /usr/bin/ssh-keygen /storage/data/ssh-keygen.bak
  cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
  mv /etc/ssh/ssh_host_ecdsa_key.pub /storage/data/ssh_host_ecdsa_key.pub.bak
  cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
  
  for  i   in  $(rpm  -qa  |grep  openssh);do  rpm  -e  $i  --nodeps ;done
  mv /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
  
  cp /storage/data/openssh-8.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
  chmod u+x   /etc/init.d/sshd
  
  # 修改啟動的配置文件
  cp /etc/init.d/sshd /storage/data/sshdnewbk
  sed -i '/SSHD=/c\SSHD=\/usr\/local\/openssh\/sbin\/sshd'  /etc/init.d/sshd
  sed -i '/\/usr\/bin\/ssh-keygen/c\         \/usr\/local\/openssh\/bin\/ssh-keygen -A'  /etc/init.d/sshd
  sed -i '/ssh_host_rsa_key.pub/i\                \/sbin\/restorecon \/etc\/ssh\/ssh_host_key.pub'  /etc/init.d/sshd  
  sed -i '/$SSHD $OPTIONS && success || failure/i\       \ OPTIONS="-f /etc/ssh/sshd_config"' /etc/rc.d/init.d/sshd
  # 修改sshd_config配置文件
  sed -i '/PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
  sed -i '/X11Forwarding/c\X11Forwarding yes' /etc/ssh/sshd_config
  sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
  
  cp -arp /usr/local/openssh/bin/* /usr/bin/
  service sshd restart
  
  # 配置開機自啟動
  chkconfig --add sshd
  chkconfig --level 2345 sshd on
  chkconfig --list
  
  # 刪除安裝包
  rm -fr /storage/data

  ssh -V 驗證版本是否升級成功

驗證完成后需要在多建立會話窗口看是否可以連接，一切正常后重啟服務器，看ssh服務是否加入了開機自啟動，一切沒有問題后就執行下面的命令關閉telnet服務。

這個時候在用漏掃工具掃描就沒有了中危漏洞。希望文章可以對您有所幫助。

# 關閉Telnet服務 
systemctl stop telnet.socket  
systemctl stop xinetd
systemctl disable xinetd.service
systemctl disable telnet.socket