openssh最近有一个漏洞,已升级到7.9版本,但centos的yum源只有7.4版本,必须手动升级。
安装过程参考后面脚本,需根据实际修改。步骤解释:
1)从官网获取升级文件
2)删除原来的openssh 及ssh服务。
注意:此时为了保证出错时还能连接服务器,先多开一个窗口备用。
注意2:如果不删除服务,原先的服务需要另外修改,此处使用删除在安装的方法,而且实现方法不同。
3)解压编译安装
注意:最好指定etc配置文件,安装目录可以不指定,默认是/usr/local/bin,此目录优先级一般高于/usr/sbin
如果找不到openssl的version,可以指定 --with-ssl-dir=/usr/local/lib64
要使ulimit对登录用户生效,加上 --with-pam ,前提安装pam-devel
3)修改sshd_config,指定ssh服务端口,和一些安全选项
3.5)在/etc/pam.d/加入sshd文件
auth include password-auth
account include password-auth
password include password-auth
session include password-auth
4)将sshd加入服务
5)重启
此时脚本执行完毕
6)验证是否可连接
7)其他服务器连接已升级服务器的需要重新删除./ssh/know_hosts文件相关记录
[root@msg7 openssh]# more openssh.sh
#!/bin/sh
#wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
cd ~/patch/openssh
tar -zxvf openssh-7.9p1.tar.gz
cd openssh-7.9p1
./configure --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/lib64 --with-pam
make
yum erase openssh -y
mkdir -p ~/patch/bak
systemctl disable sshd
mv /usr/lib/systemd/system/sshd.service ~/patch/bak/sshd.service.`date "+%s"`
mv /etc/ssh ~/patch/bak/ssh`date "+%s"`
yum install pam-devel -y
make install
#. /etc/profile
#localssh=`which ssh`
#if [ "$localssh" != "/usr/local/bin/ssh" ];then
# echo path is not right . see which ssh
# exit 1
#fi
if [ -f /etc/ssh/sshd_config ];then
echo sshd_config ok,go on.
else
exit ;
fi;
echo "Port 22" >> /etc/ssh/sshd_config
echo "Port 5922" >> /etc/ssh/sshd_config
echo "Protocol 2" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "UsePAM yes" >> /etc/ssh/sshd_config
chmod 640 /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd
sed -i 's/\/usr\//\/usr\/local\//g' /etc/init.d/sshd
#cp contrib/redhat/sshd.pam /etc/pam.d/sshd
echo "#%PAM-1.0" >> /etc/pam.d/sshd
echo "auth include password-auth" >> /etc/pam.d/sshd
echo "account include password-auth" >> /etc/pam.d/sshd
echo "password include password-auth" >> /etc/pam.d/sshd
echo "session include password-auth" >> /etc/pam.d/sshd
if [ "$?" != "0" ];then exit ;fi;
chkconfig --add sshd
chkconfig sshd on
cd ..
if [ "$?" == "0" ];then
systemctl restart sshd
if [ "$?" == "0" ];then
sh ./hidever.sh
echo ok
else
echo restart failed.
fi
else
echo error
fi
------------
hidever.sh 隐藏ssh版本
#!/bin/sh
ver=`(sleep 1;echo quit;) | telnet localhost 22 2>/dev/null|(sleep 2;grep SSH)|awk -F '-' '{print $3}'`
newver=`echo $ver | sed 's/[0-9]/A/g'`
echo oldversion=$ver,newversion=$newver
if [ ! -f /usr/local/sbin/sshd.bak ];then
cp /usr/local/sbin/sshd /usr/local/sbin/sshd.bak
fi
systemctl stop sshd
sed -i 's/'${ver}'/'${newver}'/g' /usr/local/sbin/sshd
systemctl restart sshd