在做等保的时候,必不可少的一个环节就是漏洞扫描,其中漏洞最多的是OpenSSH相关的
一般我们只需关心紧急和高危的漏洞
先看下ssh的版本,
ssh -V
我们公司用的模版是centos6.6的,版本是OpenSSH_5.3p1
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
测评的公司给我们扫出5个高危,9个中危
升级到 openssh-7.7p1后,只有1个中危了
rpm -e `rpm -qa | grep openssh` --nodeps
yum install -y gcc openssl-devel pam-devel rpm-build pam-devel
cd /usr/local/src/
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
tar -zxvf openssh-7.7p1.tar.gz
./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-ssl --with-md5-passwords mandir=/usr/share/man/
make && make install
cp /usr/local/src/openssh-7.7p1/contrib/redhat/sshd.init /etc/init.d/sshd
#允许root登陆
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
#开机自启动
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd
rm -f /etc/ssh/ssh_host_*
vim /etc/init.d/sshd
vim /etc/ssh/sshd_config
/etc/init.d/sshd start
ssh-keygen -R 10.0.xxx
ssh-copy-id root@10.0xx
centos6.6的系统直接执行以下命令就可以了,前提是与外网是通的
rpm -e `rpm -qa | grep openssh` --nodeps
yum install -y gcc openssl-devel pam-devel rpm-build pam-devel
cd /usr/local/src/
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
tar -zxvf openssh-7.7p1.tar.gz
cd openssh-7.7p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-ssl --with-md5-passwords mandir=/usr/share/man/
make && make install
cp /usr/local/src/openssh-7.7p1/contrib/redhat/sshd.init /etc/init.d/sshd
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd
/etc/init.d/sshd start
ssh -V