公司的旧版直播服务器使用的是CentOS 6.7,很多软件包都是几年前的了。最近很多安全相关的新闻充斥着IT圈,先是Intel芯片有重大安全漏洞,后面MacOS爆安全漏洞。所以,对于安全问题还真不能小觑。
接下任务,由于以前做华为核心网的项目,也有过相关的经验,大部分无非就是配置一下,或者升级软件包。经过一上午的折腾,终于完成升级包的制作,Linux就是方便。
升级脚本update.sh内容:
#!/bin/bash #stop ntp service ntpd stop chkconfig --list ntpd chkconfig ntpd off #openssl-flip sudo tar xzvf openssl-fips-2.0.16.tar.gz cd openssl-fips-2.0.16 sudo ./config sudo make sudo make install cd .. #ssl sudo tar xzvf openssl-1.0.2n.tar.gz cd openssl-1.0.2n sudo ./config fips --shared sudo make sudo make install sudo mv /usr/bin/openssl /usr/bin/openssl.OFF sudo mv /usr/include/openssl /usr/include/openssl.OFF sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl sudo ln -s /usr/local/ssl/include/openssl /usr/include/openssl sudo echo "/usr/local/ssl/lib" >>/etc/ld.so.conf sudo /sbin/ldconfig -v sudo openssl version -a cd .. #ssh sudo tar xzvf openssh-7.6p1.tar.gz cd openssh-7.6p1 sudo ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man sudo make sudo make install sudo sed -i 's/#Protocol 2,1/Protocol 2,1/g' /etc/ssh/sshd_config sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config sudo sed -i 's/#StrictModes yes/StrictModes yes/g' /etc/ssh/sshd_config sudo service sshd restart cd .. #vsftp #安装libcap依赖包 rpm -ivh libcap-devel-2.16-5.5.el6.x86_64.rpm #此处卸载ftp的地方先看下原来装系统默认安装的是什么版本,使用rpm -qa vsftp可以查看安装包名称 rpm -e vsftpd-2.2.2-14.el6.x86_64 tar -xzf vsftpd-3.0.3.tar.tar cd vsftpd-3.0.3 sudo make sudo make install cd .. #如果要保留之前的配置文件,请先备份/etc/vsftp相关的配置 #新版的安装包对安全做了一些配置,所以要先修改配置文件,安装时直接拷贝到/etc/目录下 #具体配置见安装包 \cp -R vsftpd/ /etc/ \cp -rf xinetd.d/vsftpd /etc/xinetd.d/ \cp -rf init.d/vsftpd /etc/init.d/vsftpd sudo chkconfig vsftpd on service vsftpd restart sudo chkconfig --list vsftpd sudo echo "update success!"
作为服务的启动停止脚本文件/etc/init.d/sftpd
#!/bin/bash # # vsftpd This Shell script takes care of starting and stopping # standalone vsftpd. # # chkconfig: - 60 50 # description: Vsftpd is a ftp daemon, which is the program # that answers incoming ftp service requests. # processname: vsftpd # config: /etc/vsftpd.conf # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -x /usr/local/sbin/vsftpd ] || exit 0 RETVAL=0 prog="vsftpd" start() { # Start daemons. if [ -d /etc ] ; then for i in `ls /etc/vsftpd/vsftpd.conf`; do site=`basename $i .conf` echo -n $"Starting $prog for $site: " /usr/local/sbin/vsftpd $i & RETVAL=$? [ $RETVAL -eq 0 ] && { touch /var/lock/subsys/$prog success $"$prog $site" } echo done else RETVAL=1 fi return $RETVAL } stop() { # Stop daemons. echo -n $"Shutting down $prog: " killproc $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/$prog ]; then stop start RETVAL=$? fi ;; status) status $prog RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status}" exit 1 esac exit $RETVAL
vsftp.conf配置文件修改:
pam_service_name=vsftpd userlist_enable=YES #此处需要指定user_list的路径 userlist_file=/etc/vsftpd/user_list #如果没有启用则改成NO tcp_wrappers=NO userlist_deny=NO chroot_local_user=YES #如果FTP根目录有读写权限,需要修改为YES allow_writeable_chroot=YES
另外vsftp还有很多安全相关的没有配置,有时间再慢慢研究
升级包下载地址:https://pan.baidu.com/s/1pMjjZLL