SSH漏洞修复
- OpenSSH 命令注入漏洞(CVE-2020-15778)
- OpenSSH 用户枚举漏洞(CVE-2018-15919)
- OpenSSH 安全漏洞(CVE-2017-15906)
方案:升级openssh
1、下载最新openssh和openssl
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
或者
wget ftp://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
2、安装依赖环境
yum -y install rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl prce pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel xmkmf libXt-devel initscripts libXt-devel imake gtk2-devel
3、升级openssl
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
cd /usr/local/src/
tar -zxvf openssl-1.1.1t.tar.gz
cd openssl-1.1.1t
./config --prefix=/usr/local/openssl
make && make install
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
openssl version
4、升级openssh
cd /usr/local/src/
tar zxvf openssh-9.3p1.tar.gz
cd openssh-9.3p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening
make && make install
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd
chkconfig sshd on
mv /usr/lib/systemd/system/sshd.service /home/
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600 /etc/ssh/ssh_host_rsa_key
systemctl daemon-reload
/etc/init.d/sshd restart
5、验证
systemctl status sshd
netstat -anptl
ssh -V
openssl version