linux更新ssl脚本,ssh一键升级shell脚本 – 技术支持的日常

主要是云服务器ssh版本太低，入网时扫出如下安全漏洞：

OpenSSH 用户枚举漏洞(CVE-2018-15473)

OpenSSH 用户枚举漏洞(CVE-2018-15919)

OpenSSH 安全漏洞(CVE-2017-15906)

在扫描报告中要求将ssh升级到 OpenSSH 7.6, 7.7, 7.8版本, 因此一鼓作气将其升级到8.1 版本哈哈哈哈哈哈，并根据手动升级操作步骤，写出这个脚本。脚本重复的比较多，将就着先看哈哈哈，升级时建议对照文章底下的手动升级指导看，出现问题可以根据手动升级指导找出原因

一键升级包，仅在centos7.6 测试，使用时记得测试

mkdir -p /data/toolscd /data/tools

上传升级包到/data/tools， 执行下面的升级包脚本

升级包下载：

#!/bin/bash

oldversion=`ssh -V 2>&1`

echo "开始执行 OpenSSH 版本升级脚本"

echo -e "现在的ssh版本是：\033[36m $oldversion \033[0m"

####### 关闭防火墙及selinux ######

echo "开始关闭防火墙及selinux"

systemctl stop firewalld

systemctl disable firewalld

firewall_status=`systemctl status firewalld|grep dead|wc -l`

if [ $firewall_status == 1 ]

then

echo -e "\033[36m防火墙已关闭！\033[0m"

fi

setenforce 0

sed -inr '7s/enforcing/disabled/g' /etc/sysconfig/selinux

sed -inr '7s/enforcing/disabled/g' /etc/selinux/config

#echo $(getenforce|grep -E "Permissive|Disabled"|wc -l)

#echo $(sed -nr 7p /etc/sysconfig/selinux|grep disabled|wc -l)

if [ $(getenforce|grep -E "Permissive|Disabled"|wc -l) ]&&[ $(sed -nr 7p /etc/sysconfig/selinux|grep disabled|wc -l) ]

then

echo -e '\033[36mselinux 已关闭！\033[0m'

fi

# 安装telnet-server和telnent

echo "检查是否已安装telnet 服务..."

if [ `rpm -qa|grep telnet|wc -l` == 2 ]

then

echo -e "\033[36m已安装telnet-server和telnet服务！\033[0m"

else

yum install xinetd telnet-server telnet -y>>install_telnet.log

if [ `echo $?` == 0 ]

then

echo -e "\033[36mtelnet-server和telnet安装成功！\033[0m"

fi

fi

# 配置telnet-server

if [ `grep pts /etc/securetty|wc -l` -lt 4 ]

then

cat>>/etc/securetty<

pts/0

pts/1

pts/2

pts/3

EOF

else

echo -e "/etc/securetty已存在\033[36mpts/0,pts/1,pts/2,pts/3\033[0m"

fi

echo "正在启动telnet服务..."

systemctl enable xinetd

systemctl enable telnet.socket

systemctl start telnet.socket

systemctl start xinetd

if [ `rpm -qa|grep net-tools|wc -l` == 1 ]

then

if [ `netstat -tuanp|grep -E ":::23"|wc -l` == 1 ]

then

echo -e "\033[36mtelnet-server服务已开启！\033[0m"

fi

else

yum -y install net-tools>>install_net-tools.log

if [ `netstat -anp|grep 23|wc -l` == 1 ]

then

echo -e "\033[36mtelnet-server服务已开启！\033[0m"

fi

fi

echo "安装依赖包..."

echo -e "\033[36mgcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel\033[0m"

yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel>>install_lib.log

echo -e "\033[36mpam* zlib*\033[0m"

yum install -y pam* zlib*>>install_lib.log

echo "检查是否存在/data/tools 目录，及软件安装包"

if [ -d "/data/tools/" ]

then

echo "目录已存在，检查是否在安装包"

if [ -e "/data/tools/openssl-1.0.2r.tar.gz" -a -e "/data/tools/openssh-8.0p1.tar.gz" ]

then

echo "已存在安装包...开始安装..."

else

echo "请上传安装包到/data/tools/目录"

exit

fi

else

mkdir -p /data/tools

echo "请上传安装包到/data/tools/目录"

exit

fi

if [ `openssl version|grep "1.0.2r"|wc -l` -eq "1" ]

then

echo -e "\033[36m已经安装所需版本的openssl\033[0m"

else

echo -e "\033[36m开始安装openssl！\033[0m"

cd /data/tools

tar xfz openssl-1.0.2r.tar.gz

if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]

then

mv /usr/bin/openssl /usr/bin/openssl_bak

mv /usr/include/openssl /usr/include/openssl_bak

if [ -e "/usr/bin/openssl_bak" -a -d "/usr/include/openssl_bak" ]

then

echo "备份完成！"

fi

fi

echo -e "\033[36m配置、编译、安装！\033[0m"

cd /data/tools/openssl-1.0.2r/

./config shared && make && make install>>install_openssl.log

if [ `echo $?` == 0 ]

then

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

/sbin/ldconfig

if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]

then

version_ssl=`openssl version`

echo -e "\033[36mopenssl安装成功！当前版本为：$version_ssl\033[0m"

fi

fi

fi

sshversion=`ssh -V 2>&1`

if [[ $sshversion = "OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019" ]]

then

echo -e "\033[36mopenssh已是8.0p1版本\033[0m"

else

echo -e "\033[36m开始安装openssh！\033[0m"

cd /data/tools/

tar xfz openssh-8.0p1.tar.gz

cd /data/tools/openssh-8.0p1

chown -R root:root /data/tools/openssh-8.0p1

tar -zcf /data/tools/sshbak20190919 /etc/ssh/*

rm -rf /etc/ssh/*

cd /data/tools/openssh-8.0p1

./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install

if [ `echo $?`==0 ]

then

#sed -inr '32s/#//g' /etc/ssh/sshd_config

#sed -inr '32s/prohibit-password/yes/g' /etc/ssh/sshd_config

#sed -inr '98s/#//g' /etc/ssh/sshd_config

#sed -inr '98s/yes/no/g' /etc/ssh/sshd_config

echo "PermitRootLogin yes">> /etc/ssh/sshd_config

echo "UseDNS no">> /etc/ssh/sshd_config

cd /data/tools/openssh-8.0p1

cp -a contrib/redhat/sshd.init /etc/init.d/sshd

cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

chmod +x /etc/init.d/sshd

mv /usr/lib/systemd/system/sshd.service /data/

chkconfig sshd on

/etc/init.d/sshd restart

echo -e "\033[36mopenssh安装成功\033[0m"

fi

fi

echo -e "\033[36m是否关闭或卸载telnet-server？\033[0m"""

echo "1. 关闭telnet-server"

echo "2. 卸载telnet-server"

echo "3. 跳过并退出"

read -p "请输入选项：" choice

case $choice in

1)

command

systemctl disable xinetd.service

systemctl stop xinetd.service

systemctl disable telnet.socket

systemctl stop telnet.socket

echo -e "\033[36mtelnet-server已关闭\033[0m"""

;;

2)

rpm -qa|grep telnet

rpm -e telnet-server-0.17-64.el7.x86_64

if [ `rpm -qa|grep telnet|wc -l` == 1 ]

then

echo -e "\033[36mtelnet-server已关闭\033[0m"""

fi

;;

*)

exit;;

esac

如果你们喜欢手动升级，可以查看本站的另外一篇升级指导：