主机安全加固之-openssh版本升级

升级openssh之前，为了保证能正常通过工具连接主机，咱们开启telnet服务，通过telnet的方式登录主机

一：开启telnet服务

1.安装telnet服务

[root@localhost ~]# yum install –y telnet telnet-server xinetd

2.修改telnet服务配置文件,重启服务

centos7.0配置文件为/etc/xinetd.conf，无需修改配合文件中disable，已被注释；
低版本centos配置文件为/etc/xinetd.d/telnet，修改disable=yes为，disable=no；
这样telnet服务就启动了
[root@localhost ~]# systemctl start telnet.socket
[root@localhost ~]# systemctl restart xinetd

3.通过telnet的方式登录主机验证一下
telnet验证不通过，需要修改/etc/pam.d/remote和/etc/pam.d/login注释掉第一行

[root@localhost ~]# vi /etc/pam.d/remote
#auth       required     pam_securetty.so
[root@localhost ~]# vi /etc/pam.d/login
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
重启xinetd服务
[root@localhost ~]# systemctl restart xinetd

修改完上面两处，重启完xinetd服务，登录验证通过

二：升级openssl服务

查看openssl服务的版本
[root@localhost ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
下载openssl程序安装包
[root@localhost openssh]# cd /usr/local/
[root@localhost local]# wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz --no-check-certificate
--2024-01-31 05:35:39--  https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz
Resolving www.openssl.org (www.openssl.org)... 34.36.58.177, 2600:1901:0:1812::
Connecting to www.openssl.org (www.openssl.org)|34.36.58.177|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9881866 (9.4M) [application/x-tar]
Saving to: ‘openssl-1.1.1t.tar.gz’

100%[==========================================================================================================>] 9,881,866   2.77MB/s   in 3.4s

2024-01-31 05:35:44 (2.77 MB/s) - ‘openssl-1.1.1t.tar.gz’ saved [9881866/9881866]
解压
[root@localhost local]# tar -xf openssl-1.1.1t.tar.gz
[root@localhost local]# ls -ltr
total 9656
drwxr-xr-x.  2 root root       6 Apr 11  2018 src
drwxr-xr-x.  2 root root       6 Apr 11  2018 sbin
drwxr-xr-x.  2 root root       6 Apr 11  2018 libexec
drwxr-xr-x.  2 root root       6 Apr 11  2018 lib64
drwxr-xr-x.  2 root root       6 Apr 11  2018 lib
drwxr-xr-x.  2 root root       6 Apr 11  2018 include
drwxr-xr-x.  2 root root       6 Apr 11  2018 games
drwxr-xr-x.  2 root root       6 Apr 11  2018 etc
drwxrwxr-x. 19 root root    4096 Feb  7  2023 openssl-1.1.1t
drwxr-xr-x.  5 root root      49 Oct 13 14:48 share
-rw-r--r--.  1 root root 9881866 Dec  4 09:38 openssl-1.1.1t.tar.gz
drwxr-xr-x. 12 root root     198 Jan 15 04:59 nginx
drwxr-xr-x.  2 root root      28 Jan 15 08:42 bin
编译安装openssl
[root@localhost local]# cd openssl-1.1.1t
[root@localhost openssl-1.1.1t]# ./config shared --prefix=/usr/local/openssl
[root@localhost openssl-1.1.1t]# make -j 4
[root@localhost openssl-1.1.1t]# make install
为openssl做软连接
[root@localhost openssl-1.1.1t]# echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf
[root@localhost openssl-1.1.1t]# ldconfig
[root@localhost openssl-1.1.1t]#
备份以前的openssl
[root@localhost openssl-1.1.1t]# mv /usr/bin/openssl /usr/bin/openssl.old
软连接，如果提示软连接已存在，记得备份软连接，然后在执行下面再次软连接，要不然会出问题
[root@localhost openssl-1.1.1t]# ln -sv /usr/local/openssl/bin/openssl /usr/bin/openssl
‘/usr/bin/openssl’ -> ‘/usr/local/openssl/bin/openssl’
[root@localhost openssl-1.1.1t]# ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[root@localhost openssl-1.1.1t]# ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
验证一下openssl是否更新成功
[root@localhost openssl-1.1.1t]# openssl version
OpenSSL 1.1.1t  7 Feb 2023

三：升级openssh服务

查看、备份并卸载原有OpenSSH
[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
备份现有的SSH
[root@localhost ~]# mv /etc/ssh/ /etc/ssh.bak
[root@localhost ~]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@localhost ~]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
如果您是第一次升级，备份/etc/init.d/sshd时会不存在，不影响后续操作
[root@localhost ~]# mv /etc/init.d/sshd /etc/init.d/sshd.bak
mv: cannot stat ‘/etc/init.d/sshd’: No such file or directory
卸载现有OpenSSH
[root@localhost ~]# rpm -qa | grep openssh
openssh-server-7.4p1-22.el7_9.x86_64
openssh-7.4p1-22.el7_9.x86_64
openssh-clients-7.4p1-22.el7_9.x86_64
[root@localhost ~]# rpm -e --nodeps $(rpm -qa |grep openssh)
下载openssh服务的二进制包
[root@localhost ~]# cd /usr/local/
[root@localhost local]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
[root@localhost local]# tar -xf openssh-9.3p1.tar.gz
[root@localhost local]# cd openssh-9.3p1
编译安装
[root@localhost openssh-9.3p1]# CCFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib64" ./configure --sysconfdir=/etc/ssh --with-zlib --with-ssl-dir=/usr/local/openssl
[root@localhost openssh-9.3p1]# make -j 4
[root@localhost openssh-9.3p1]# make install
[root@localhost openssh-9.3p1]# chmod 600 /etc/ssh/*
复制配置文件
root@localhost openssh-9.3p1]# cp -rf /usr/local/sbin/sshd /usr/sbin/sshd
[root@localhost openssh-9.3p1]# cp -rf /usr/local/bin/ssh /usr/bin/ssh
[root@localhost openssh-9.3p1]# cp -rf /usr/local/bin/ssh-keygen /usr/bin/ssh-keygen
[root@localhost openssh-9.3p1]# cp -ar /usr/local/openssh-9.3p1/contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-9.3p1]# cp -ar /usr/local/openssh-9.3p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
修改配置允许root用户远程登录
[root@localhost openssh-9.3p1]# cat >>/etc/ssh/sshd_config<<EOF
> PermitRootLogin yes
> X11Forwarding yes
> PasswordAuthentication yes
> KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
> EOF
[root@localhost openssh-9.3p1]# sed -i "s/^#Port/Port/g" /etc/ssh/sshd_config
[root@localhost openssh-9.3p1]# chmod 755 /etc/init.d/sshd
启用sshd，生成服务配置文件，并重启服务
[root@localhost openssh-9.3p1]# systemctl enable sshd
sshd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig sshd on
[root@localhost openssh-9.3p1]# systemctl restart sshd
[root@localhost openssh-9.3p1]# ssh -V
OpenSSH_9.3p1, OpenSSL 1.1.1t  7 Feb 2023