OpenSSH 安全漏洞(CVE-2020-14145、CVE-2020-15778、CVE-2021-28041、CVE-2016-20012)、CVE-2021-41617、CVE-2018-15919)
针对这类安全问题,处理方式是升级OpenSSH版本即可。
一、升级包下载
目前基于最新的OpenSSH-9.0p1、OpenSSL1.1.1q更新 (可根据个人情况下载、更换脚本源码包地址),测试环境为Centos7.x以上,结合个人情况参考更新,其他版本请自测!
Zlib官网:http://www.zlib.net/
OpenSSL官网:https://www.openssl.org/
OpenSSH官网:https://www.openssh.com/
注: 手动下载官方源码包时,可能会非常慢,可以去常用的镜像站点(比如 清华镜像站、阿里镜像站 等)去下载
二、OpenSSH 安装
1.开启 telnet 服务,临时关闭防火墙
由于一般登录方式为ssh,所以需要安装其他登录方式,比如Telnet服务,防止升级失败。
1 telnet_enable() { 2 yum -y install telnet-server telnet xinetd 3 4 cp /etc/xinetd.d/telnet /etc/xinetd.d/telnet.bak 5 #find / -name in.telnetd 6 cat <<EOF> /etc/xinetd.d/telnet 7 service telnet 8 { 9 flags = REUSE 10 socket_type = stream 11 wait = no 12 user = root 13 server = /usr/sbin/in.telnetd 14 log_on_failure += USERID 15 disable = no 16 } 17 EOF 18 19 cp /etc/securetty /etc/securetty.bak.telnet 20 echo pts/0 >> /etc/securetty 21 echo pts/1 >> /etc/securetty 22 23 #chkconfig --add xinetd 24 #service xinetd restart 25 version=`cat /etc/redhat-release | awk '{printf $(NF-1)}'` 26 if [[ $version == '6.5' || $version == '6.9' ]];then 27 chkconfig --add xinetd 28 service xinetd restart 29 #/sbin/iptables -I INPUT -p tcp --dport 23 -j ACCEPT 30 #/etc/rc.d/init.d/iptables save 31 service iptables stop 32 else 33 systemctl enable xinetd 34 systemctl restart xinetd 35 #firewall-cmd --add-service=telnet --permanent 36 systemctl stop firewalld 37 fi 38 39 }
2.SSH安装*
2.1 OpenSSL安装
1 install_openssl() { 2 SOFT_OPENSSL=openssl-1.1.1o 3 4 #0.2.install rpm packages 5 #mount -o loop /usr/local/CentOS-7-x86_64-DVD-2003.iso /media 6 yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib* 7 8 #1.1.uncompress openssl 9 #cd /opt 10 tar -zxvf ${SOFT_OPENSSL}.tar.gz 11 12 #1.2.Backup openssl configuration 13 mv /usr/bin/openssl /usr/bin/openssl_bak 14 mv /usr/include/openssl /usr/include/openssl_bak 15 16 #1.3.intatll openssl 17 cd ${SOFT_OPENSSL} 18 ./config --prefix=/usr/local/ssl -d shared 19 make && make install 20 echo $? 21 22 #1.4.openssl configuration 23 ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl 24 ln -s /usr/local/ssl/include/openssl /usr/include/openssl 25 ls -l /usr/bin/openssl 26 ls -l /usr/include/openssl -ld 27 28 cp /etc/ld.so.conf /etc/ld.so.conf.bak 29 echo "/usr/local/ssl/lib" >> /etc/ld.so.conf 30 /sbin/ldconfig 31 32 #1.5.openssl version 33 openssl version -a 34 35 cd .. 36 }
2.2 OpenSSH安装
1 install_openssh() { 2 #1.Set Path 3 SOFT_ZLIB=zlib-1.2.11 4 SOFT_OPENSSH=openssh-9.0p1 5 #2.yum 6 #mount -o loop /usr/local/CentOS-7-x86_64-DVD-2003.iso /media 7 yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib* 8 9 #3.uncompress 10 tar -zxvf ${SOFT_ZLIB}.tar.gz 11 tar -zxvf ${SOFT_OPENSSH}.tar.gz 12 13 #4.install 14 cd ${SOFT_ZLIB} 15 ./configure --prefix=/usr/local/zlib 16 make && make install 17 cd .. 18 chmod 600 /etc/ssh/ssh_host_rsa_key 19 chmod 600 /etc/ssh/ssh_host_ed25519_key 20 chmod 600 /etc/ssh/ssh_host_ecdsa_key 21 cd ${SOFT_OPENSSH} 22 ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib --with-md5-passwords --with-pam 23 make && make install 24 echo $? 25 cd .. 26 27 #5.sshd_config 28 sed -i '/X11Forwarding/s/#X11Forwarding yes/X11Forwarding yes/' /etc/ssh/sshd_config 29 sed -i '/PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config 30 sed -i '/UseDNS/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config 31 cat /etc/ssh/sshd_config |grep -Ev "^#|^$" | grep X11Forwarding 32 cat /etc/ssh/sshd_config |grep -Ev "^#|^$" | grep PermitRootLogin 33 cat /etc/ssh/sshd_config |grep -Ev "^#|^$" | grep UseDNS 34 35 cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak 36 37 echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/ssh/sshd_config 38 39 cp -a ${SOFT_OPENSSH}/contrib/redhat/sshd.init /etc/init.d/sshd 40 cp -a ${SOFT_OPENSSH}/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam 41 42 #6.sshd cfg 43 chmod +x /etc/init.d/sshd 44 chkconfig --add sshd 45 chkconfig sshd on 46 mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak 47 /etc/init.d/sshd restart 48 49 setenforce 0 50 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 51 #7.version 52 ssh -V 53 # 54 }
3.关闭 telnet 服务
1 #关闭telnet服务 2 systemctl stop xinetd.service 3 systemctl stop telnet.socket 4 5 #卸载telnet服务 6 yum remove xinetd telnet-server telnet -y 7 8 #开启防火墙 9 systemctl start firewalld.service 10 systemctl enable firewalld.service
四、OpenSSH-9.0p1 升级脚本*
注:因为脚本根据个人情况,进行升级,固有些差异的地方需要根据实际情况修改!!
1 #!/bin/bash 2 telnet_enable() { 3 yum -y install telnet-server telnet xinetd 4 5 cp /etc/xinetd.d/telnet /etc/xinetd.d/telnet.bak 6 #find / -name in.telnetd 7 cat <<EOF> /etc/xinetd.d/telnet 8 service telnet 9 { 10 flags = REUSE 11 socket_type = stream 12 wait = no 13 user = root 14 server = /usr/sbin/in.telnetd 15 log_on_failure += USERID 16 disable = no 17 } 18 EOF 19 20 cp /etc/securetty /etc/securetty.bak.telnet 21 echo pts/0 >> /etc/securetty 22 echo pts/1 >> /etc/securetty 23 24 #chkconfig --add xinetd 25 #service xinetd restart 26 version=`cat /etc/redhat-release | awk '{printf $(NF-1)}'` 27 if [[ $version == '6.5' || $version == '6.9' ]];then 28 chkconfig --add xinetd 29 service xinetd restart 30 #/sbin/iptables -I INPUT -p tcp --dport 23 -j ACCEPT 31 #/etc/rc.d/init.d/iptables save 32 service iptables stop 33 else 34 systemctl enable xinetd 35 systemctl restart xinetd 36 #firewall-cmd --add-service=telnet --permanent 37 systemctl stop firewalld 38 fi 39 40 } 41 install_openssl() { 42 SOFT_OPENSSL=openssl-1.1.1o 43 44 #0.2.install rpm packages 45 #mount -o loop /usr/local/CentOS-7-x86_64-DVD-2003.iso /media 46 yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib* 47 48 #1.1.uncompress openssl 49 #cd /opt 50 tar -zxvf ${SOFT_OPENSSL}.tar.gz 51 52 #1.2.Backup openssl configuration 53 mv /usr/bin/openssl /usr/bin/openssl_bak 54 mv /usr/include/openssl /usr/include/openssl_bak 55 56 #1.3.intatll openssl 57 cd ${SOFT_OPENSSL} 58 ./config --prefix=/usr/local/ssl -d shared 59 make && make install 60 echo $? 61 62 #1.4.openssl configuration 63 ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl 64 ln -s /usr/local/ssl/include/openssl /usr/include/openssl 65 ls -l /usr/bin/openssl 66 ls -l /usr/include/openssl -ld 67 68 cp /etc/ld.so.conf /etc/ld.so.conf.bak 69 echo "/usr/local/ssl/lib" >> /etc/ld.so.conf 70 /sbin/ldconfig 71 72 #1.5.openssl version 73 openssl version -a 74 75 cd .. 76 } 77 install_openssh() { 78 #1.Set Path 79 SOFT_ZLIB=zlib-1.2.11 80 SOFT_OPENSSH=openssh-9.0p1 81 #2.yum 82 #mount -o loop /usr/local/CentOS-7-x86_64-DVD-2003.iso /media 83 yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib* 84 85 #3.uncompress 86 tar -zxvf ${SOFT_ZLIB}.tar.gz 87 tar -zxvf ${SOFT_OPENSSH}.tar.gz 88 89 #4.install 90 cd ${SOFT_ZLIB} 91 ./configure --prefix=/usr/local/zlib 92 make && make install 93 cd .. 94 chmod 600 /etc/ssh/ssh_host_rsa_key 95 chmod 600 /etc/ssh/ssh_host_ed25519_key 96 chmod 600 /etc/ssh/ssh_host_ecdsa_key 97 cd ${SOFT_OPENSSH} 98 ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib --with-md5-passwords --with-pam 99 make && make install 100 echo $? 101 cd .. 102 103 #5.sshd_config 104 sed -i '/X11Forwarding/s/#X11Forwarding yes/X11Forwarding yes/' /etc/ssh/sshd_config 105 sed -i '/PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config 106 sed -i '/UseDNS/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config 107 cat /etc/ssh/sshd_config |grep -Ev "^#|^$" | grep X11Forwarding 108 cat /etc/ssh/sshd_config |grep -Ev "^#|^$" | grep PermitRootLogin 109 cat /etc/ssh/sshd_config |grep -Ev "^#|^$" | grep UseDNS 110 111 cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak 112 113 echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/ssh/sshd_config 114 115 cp -a ${SOFT_OPENSSH}/contrib/redhat/sshd.init /etc/init.d/sshd 116 cp -a ${SOFT_OPENSSH}/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam 117 118 #6.sshd cfg 119 chmod +x /etc/init.d/sshd 120 chkconfig --add sshd 121 chkconfig sshd on 122 mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak 123 /etc/init.d/sshd restart 124 125 setenforce 0 126 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 127 #7.version 128 ssh -V 129 # 130 } 131 telnet_enable 132 install_openssl 133 install_openssh
浙公网安备 33010602011771号