CentOS 7 在启用 SELinux 的环境下更新OpenSSH 9.0、OpenSSL 3.0.5、Kernel 5.4

###相关 tar 包和汇总表
链接：https://pan.baidu.com/s/1IZGch4gMWohCmW3Th23Z7Q?pwd=trfi 
提取码：trfi 

###查看是否为 Access: (0666/crw-rw-rw-) Uid: (0/root) Gid: (0/root)、Device type: 1,3
stat /dev/null 

###如果权限不对，则修复 /dev/null 权限
rm -rf /dev/null && mknod -m 666 /dev/null c 1 3

###查看CentOS版本
cat /etc/redhat-release

###上传压缩包，解压，安装工具
tar zxvf system-tools.tar.gz
cd system-tools/
su
yum -y localinstall *.rpm
cd ..

###上传压缩包，解压
tar zxvf telnet.tar.gz
tar zxvf openssh-9.0p1.tar.gz
tar zxvf openssl102k.tar.gz
tar zxvf openssl-3.0.5.tar.gz

###上传 7.6 依赖包，解压
tar zxvf dependencies-7.6.tar.gz

###安装 7.6 依赖
cd dependencies-7.6/
su
yum -y localinstall *.rpm
cd ..

###上传 7.9 依赖包，解压
tar zxvf dependencies-7.9.tar.gz

###安装 7.9 依赖
cd dependencies-7.9/
su
yum -y localinstall *.rpm
cd ..

###配置系统账号密码策略
cp -p /etc/login.defs /etc/login.defs.bak
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp -p /etc/pam.d/passwd /etc/pam.d/passwd.bak
sed -i -r -e '/^\s*PASS_MAX_DAYS\s+99999\s*$/ s/99999\s*$/90/' /etc/login.defs
sed -i -r -e '/^\s*PASS_MIN_DAYS\s+0\s*$/ s/0\s*$/7/' /etc/login.defs
sed -i -r -e '/^\s*PASS_MIN_LEN\s+5\s*$/ s/5\s*$/12/' /etc/login.defs
sed -i '4i auth        required      pam_tally2.so deny=6 unlock_time=300 even_deny_root root_unlock_time=60 audit ' /etc/pam.d/system-auth
sed -i '/use_authtok/ s/$/& remember=5/' /etc/pam.d/system-auth
sed -i '/pam_pwquality.so/ s/$/& minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root/' /etc/pam.d/system-auth
echo 'password   required     pam_pwquality.so retry=3' >> /etc/pam.d/passwd
chage --maxdays 90 root
chage --mindays 7 root
chage --warndays 7 root

###配置变量
username=
#如，username=super
echo $username

###生成密码
pwgen -scnyC1 12 5

###修改密码
passwd $username

###查看密码过期时间并记录
chage --maxdays 90 $username
chage --mindays 7 $username
chage --warndays 7 $username
chage -l $username

###避免防火墙和 selinux 造成影响，先临时关闭
su
setenforce 0
systemctl stop firewalld

#更新 openssl
###查看当前版本
ssh -V
openssl version -a
rpm -qa | grep openssl

### RPM 更新 openssl 1.0.2k 补丁
cd openssl102k
yum -y localinstall *.rpm
rpm -Uvh *.rpm --nodeps --force

###编译安装 openssl 3.0.5
cd ..
cd openssl-3.0.5/
mkdir -p /usr/local/openssl3
./config --prefix=/usr/local/openssl3
make && make install

###动态链接库生效
ln -s /usr/local/openssl3/bin/openssl /usr/bin/openssl3
echo "/usr/local/openssl3/lib64" >> /etc/ld.so.conf
ldconfig -v

###查看版本
openssl version -a
openssl3 version -a

#更新 openssh
###备份 ssh 组件
cp -r /etc/ssh /etc/ssh.bak-`date -I`
cp -r /etc/pam.d c`date -I`

###避免 ssh 起不来，先临时安装telnet
cd ..
cd telnet/
rpm -Uvh *.rpm --nodeps --force
rpm -qa | grep -E "xinetd|telnet"
echo 'pts/0' >>/etc/securetty
echo 'pts/1' >>/etc/securetty
systemctl start telnet.socket
systemctl start xinetd

###测试 telnet
ss -ant | grep 23
C:\>telnet $IP

###升级 openssh，退出 ssh 在 telnet 终端操作
ssh -V
su
systemctl stop sshd
rm -rf /etc/ssh
ss -antp | grep sshd

###关闭全部 ssh 链接，非必需
killall sshd
ss -antp | grep sshd

###编译安装 openssh
cd openssh-9.0p1/
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl3 --with-zlib --with-pam
make && make install

###修改 sshd_config 配置
cat >/etc/ssh/sshd_config<<-EOF
Protocol 2
UsePAM yes
MaxAuthTries 6
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 3
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts no
HostbasedAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
PrintMotd no
PrintLastLog no
X11Forwarding yes
StrictModes yes
TCPKeepAlive yes
PermitEmptyPasswords no
Compression yes
UseDNS no
Banner none
LogLevel INFO
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
HostKey /etc/ssh/ssh_host_ed25519_key
EOF
sed -i '1a auth       required     pam_tally2.so onerr=fail deny=6 unlock_time=60 even_deny_root root_unlock_time=10' /etc/pam.d/sshd

###普通用户的账号
username=
#如，username=super
echo $username

###设置可访问的 IP 段
remoteNET=
#如设置为：remoteNET=192.168.11
echo $remoteNET

###限制 SSH 访问
echo "AllowUsers $username@$remoteNET.0/24" >> /etc/ssh/sshd_config
echo "Subsystem sftp /usr/libexec/openssh/sftp-server" >> /etc/ssh/sshd_config
echo "MaxStartups 10:20:30" >> /etc/ssh/sshd_config
echo "sshd:$remoteNET.0/24:allow" >> /etc/hosts.allow
echo 'sshd:all:deny' >> /etc/hosts.deny
/usr/sbin/sshd -t -f /etc/ssh/sshd_config

###启动 sshd
\cp -r contrib/redhat/sshd.init /etc/init.d/
chmod +x /etc/init.d/sshd.init
/etc/init.d/sshd.init start
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
\cp -r /run/systemd/generator.late/sshd.init.service /usr/lib/systemd/system/sshd.service
systemctl daemon-reload
systemctl restart sshd

###通过 ssh 登录，先不关闭 telnet
ssh -V
su
systemctl enable sshd
systemctl status sshd

###开启防火墙 
su
systemctl start firewalld
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --reload
sshd -t

###再次测试通过 ssh 登录，成功后关闭 telnet
su
systemctl stop telnet.socket
systemctl stop xinetd
rpm -e --nodeps `rpm -qa | grep -E "telnet|xinetd"`

#更新 LTS 内核
###上传压缩包
tar zxvf kernel-lt.tar.gz

###查看当前内核安装包
rpm -qa | grep kernel

###卸载当前版本内核
for i in `rpm -qa | grep kernel | grep 3.10`; do rpm -e "${i}" --nodeps; done

###安装 LTS 内核
###普通用户的账号
username=
#如，username=super
echo $username
tar zxvf kernel-lt.tar.gz
cd /home/$username/kernel
su
rpm -Uvh *.rpm --nodeps --force
rpm -qa | grep kernel

###查看当前内核启动顺序
awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg

###设置内核启动顺序
grub2-set-default 0

###生成新 grub 文件
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot