背景:安全扫描,扫描出ssh高危漏洞 OpenSSH用户枚举(CVE-2018-15473)【POC】,解决办法是将OpenSSH升级到7.7或更高版本。
首先登录服务器检查各个包
rpm -qa | grep telnet
rpm -qa | grep pam
rpm -qa | grep zlib
rpm -qa | grep xinetd
如果没有,则安装依赖包
所有所需的依赖包,放在网盘里了,大家自提:
链接: https://pan.baidu.com/s/1D6-rOKQa6wRB1y8UBpILAQ 提取码: pqxh
安装依赖包
rpm -Uvh telnet-0.17-65.el7_8.x86_64.rpm
rpm -Uvh telnet-server-0.17-65.el7_8.x86_64.rpm
rpm -Uvh pam-1.1.8-23.el7.x86_64.rpm
rpm -Uvh pam-devel-1.1.8-23.el7.x86_64.rpm
rpm -Uvh zlib-1.2.7-18.el7.x86_64.rpm
rpm -Uvh zlib-devel-1.2.7-18.el7.x86_64.rpm
rpm -Uvh xinetd-2.3.15-14.el7.x86_64.rpm
关闭selinux
这一步影响我很久,这很关键
#vim /etc/selinux/config
将selinux设置为disable
SELINUX=disabled
这一步之后一定要重启reboot,不然安装后也登不上去
rpm -ivh --force cpp-4.8.5-39.el7.x86_64.rpm
rpm -ivh --force libgcc-4.8.5-39.el7.x86_64.rpm
rpm -ivh --force libgomp-4.8.5-39.el7.x86_64.rpm
rpm -ivh --force libstdc++-4.8.5-39.el7.x86_64.rpm
rpm -ivh --force libstdc++-devel-4.8.5-39.el7.x86_64.rpm
rpm -ivh --force gcc-4.8.5-39.el7.x86_64.rpm
rpm -ivh --force gcc-c++-4.8.5-39.el7.x86_64.rpm
启动xinetd
systemctl start xinetd
systemctl status xinetd
注意:这里我比较胆子大,没用启动telnet服务,若保险一点可以先启动telnet服务,这样可以通过telnet登录
安装zlib
1.解压安装
tar -zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib-1.2.11 -share
make && make install
ln -s /usr/local/zlib-1.2.11 /usr/local/zlib
2.将zlib动态函数库加载到高速缓存中
echo "/usr/local/zlib-1.2.11/lib" >> /etc/ld.so.conf
ldconfig -v
安装openssl
1.解压安装
tar zxvf openssl-1.0.2m.tar.gz
cd openssl-1.0.2m
./config shared zlib-dynamic --prefix=/usr/local/openssl-1.0.2m --with-zlib-lib=/usr/local/zlib-1.2.11/lib --with-zlib-include=/usr/local/zlib-1.2.11/include
make && make install
ln -s /usr/local/openssl-1.0.2m /usr/local/openssl
2.将openssl工具集路径加入到path路径中
echo "/usr/local/openssl-1.0.2m/lib" >> /etc/ld.so.conf
ldconfig -v
3.查看版本是否正确
openssl version -a
安装openssh
1.解压安装
tar -xzvf openssh-8.0p1.tar.gz
cd openssh-8.0p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --mandir=/usr/share/man
make && make install
2.配置
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
sed -i '/UsePAM no/c\UsePAM yes' /etc/ssh/sshd_config
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
sed -i '/^Subsystem/c\Subsystem sftp /usr/libexec/sftp-server' /etc/ssh/sshd_config
sed -i '/^SELINUX=enforcing/c\SELINUX=disabled' /etc/selinux/config
setenforce 0
3.查看版本
sshd -v
测试sshd能否登陆
如果不能登录,执行全路径启动ssh
/usr/sbin/sshd -p 22
若启动报错
执行赋权 chmod 600 /etc/ssh/ssh_host_ecdsa_key
同样的报错哪个就这样赋哪个文件的权限
最后一步
设置sshd开机自启动
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd