主要是云服务器ssh版本太低,入网时扫出如下安全漏洞:
OpenSSH 用户枚举漏洞(CVE-2018-15473)
OpenSSH 用户枚举漏洞(CVE-2018-15919)
OpenSSH 安全漏洞(CVE-2017-15906)
在扫描报告中要求将ssh升级到 OpenSSH 7.6, 7.7, 7.8版本, 因此一鼓作气将其升级到8.1 版本哈哈哈哈哈哈,并根据手动升级操作步骤,写出这个脚本。脚本重复的比较多,将就着先看哈哈哈,升级时建议对照文章底下的手动升级指导看,出现问题可以根据手动升级指导找出原因
一键升级包,仅在centos7.6 测试,使用时记得测试
mkdir -p /data/toolscd /data/tools
上传升级包到/data/tools, 执行下面的升级包脚本
升级包下载:
#!/bin/bash
oldversion=`ssh -V 2>&1`
echo "开始执行 OpenSSH 版本升级脚本"
echo -e "现在的ssh版本是:\033[36m $oldversion \033[0m"
####### 关闭防火墙及selinux ######
echo "开始关闭防火墙及selinux"
systemctl stop firewalld
systemctl disable firewalld
firewall_status=`systemctl status firewalld|grep dead|wc -l`
if [ $firewall_status == 1 ]
then
echo -e "\033[36m防火墙已关闭!\033[0m"
fi
setenforce 0
sed -inr '7s/enforcing/disabled/g' /etc/sysconfig/selinux
sed -inr '7s/enforcing/disabled/g' /etc/selinux/config
#echo $(getenforce|grep -E "Permissive|Disabled"|wc -l)
#echo $(sed -nr 7p /etc/sysconfig/selinux|grep disabled|wc -l)
if [ $(getenforce|grep -E "Permissive|Disabled"|wc -l) ]&&[ $(sed -nr 7p /etc/sysconfig/selinux|grep disabled|wc -l) ]
then
echo -e '\033[36mselinux 已关闭!\033[0m'
fi
# 安装telnet-server和telnent
echo "检查是否已安装telnet 服务..."
if [ `rpm -qa|grep telnet|wc -l` == 2 ]
then
echo -e "\033[36m已安装telnet-server和telnet服务!\033[0m"
else
yum install xinetd telnet-server telnet -y>>install_telnet.log
if [ `echo $?` == 0 ]
then
echo -e "\033[36mtelnet-server和telnet安装成功!\033[0m"
fi
fi
# 配置telnet-server
if [ `grep pts /etc/securetty|wc -l` -lt 4 ]
then
cat>>/etc/securetty<
pts/0
pts/1
pts/2
pts/3
EOF
else
echo -e "/etc/securetty已存在\033[36mpts/0,pts/1,pts/2,pts/3\033[0m"
fi
echo "正在启动telnet服务..."
systemctl enable xinetd
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
if [ `rpm -qa|grep net-tools|wc -l` == 1 ]
then
if [ `netstat -tuanp|grep -E ":::23"|wc -l` == 1 ]
then
echo -e "\033[36mtelnet-server服务已开启!\033[0m"
fi
else
yum -y install net-tools>>install_net-tools.log
if [ `netstat -anp|grep 23|wc -l` == 1 ]
then
echo -e "\033[36mtelnet-server服务已开启!\033[0m"
fi
fi
echo "安装依赖包..."
echo -e "\033[36mgcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel\033[0m"
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel>>install_lib.log
echo -e "\033[36mpam* zlib*\033[0m"
yum install -y pam* zlib*>>install_lib.log
echo "检查是否存在/data/tools 目录,及软件安装包"
if [ -d "/data/tools/" ]
then
echo "目录已存在,检查是否在安装包"
if [ -e "/data/tools/openssl-1.0.2r.tar.gz" -a -e "/data/tools/openssh-8.0p1.tar.gz" ]
then
echo "已存在安装包...开始安装..."
else
echo "请上传安装包到/data/tools/目录"
exit
fi
else
mkdir -p /data/tools
echo "请上传安装包到/data/tools/目录"
exit
fi
if [ `openssl version|grep "1.0.2r"|wc -l` -eq "1" ]
then
echo -e "\033[36m已经安装所需版本的openssl\033[0m"
else
echo -e "\033[36m开始安装openssl!\033[0m"
cd /data/tools
tar xfz openssl-1.0.2r.tar.gz
if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
then
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
if [ -e "/usr/bin/openssl_bak" -a -d "/usr/include/openssl_bak" ]
then
echo "备份完成!"
fi
fi
echo -e "\033[36m配置、编译、安装!\033[0m"
cd /data/tools/openssl-1.0.2r/
./config shared && make && make install>>install_openssl.log
if [ `echo $?` == 0 ]
then
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
/sbin/ldconfig
if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
then
version_ssl=`openssl version`
echo -e "\033[36mopenssl安装成功!当前版本为:$version_ssl\033[0m"
fi
fi
fi
sshversion=`ssh -V 2>&1`
if [[ $sshversion = "OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019" ]]
then
echo -e "\033[36mopenssh已是8.0p1版本\033[0m"
else
echo -e "\033[36m开始安装openssh!\033[0m"
cd /data/tools/
tar xfz openssh-8.0p1.tar.gz
cd /data/tools/openssh-8.0p1
chown -R root:root /data/tools/openssh-8.0p1
tar -zcf /data/tools/sshbak20190919 /etc/ssh/*
rm -rf /etc/ssh/*
cd /data/tools/openssh-8.0p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install
if [ `echo $?`==0 ]
then
#sed -inr '32s/#//g' /etc/ssh/sshd_config
#sed -inr '32s/prohibit-password/yes/g' /etc/ssh/sshd_config
#sed -inr '98s/#//g' /etc/ssh/sshd_config
#sed -inr '98s/yes/no/g' /etc/ssh/sshd_config
echo "PermitRootLogin yes">> /etc/ssh/sshd_config
echo "UseDNS no">> /etc/ssh/sshd_config
cd /data/tools/openssh-8.0p1
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /data/
chkconfig sshd on
/etc/init.d/sshd restart
echo -e "\033[36mopenssh安装成功\033[0m"
fi
fi
echo -e "\033[36m是否关闭或卸载telnet-server?\033[0m"""
echo "1. 关闭telnet-server"
echo "2. 卸载telnet-server"
echo "3. 跳过并退出"
read -p "请输入选项:" choice
case $choice in
1)
command
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
echo -e "\033[36mtelnet-server已关闭\033[0m"""
;;
2)
rpm -qa|grep telnet
rpm -e telnet-server-0.17-64.el7.x86_64
if [ `rpm -qa|grep telnet|wc -l` == 1 ]
then
echo -e "\033[36mtelnet-server已关闭\033[0m"""
fi
;;
*)
exit;;
esac
如果你们喜欢手动升级,可以查看本站的另外一篇升级指导: