引言
2024年7月1日接到安全部门同事邮件通知,目前生产环境及测试环境服务器Openssh存在远程代码执行漏洞(CVE-2024-6387),漏洞等级高,且攻击者可以成功利用该漏洞获得远程root shell最高权限从而执行任意代码及命令,主要受影响版本为8.5p1<=Openssh<9.8p1,安全版本为openssh>=9.8p1。官方给出的修改建议是升级openssh版本至9.8p1,安全部门同事及项目侧领导邮件确认升级至9.8p1版本并对服务器添加hosts.allow、hosts.deny文件,仅允许通过堡垒机连接服务器。
一、准备编译环境
sudo apt-get -y install openbsd-inetd telnetd telnet make gcc libpam0g-dev
sudo /etc/init.d/openbsd-inetd restart
[ ok ] Restarting openbsd-inetd (via systemctl): openbsd-inetd.service.
sudo netstat -antp | grep 23
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1560834/inetd
使用telnet登录服务器
telnet 192.168.1.163
Trying 192.168.1.163...
Connected to 192.168.1.163.
Escape character is '^]'.
Password:Login incorrectubuntu
login:用户名
Password:密码
Last login: Thu Jan 2 13:25:57 CST 2020 from 192.168.1.113 on pts/0.
...
获取编译安装包
mkdir openssh
cd openssh/
wget https://zlib.net/zlib-1.3.1.tar.gz
wget --no-check-certificate https://www.openssl.org/source/openssl-3.3.0.tar.gz
wget --no-check-certificate https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
ls *gz | xargs -n1 -i{} tar zxf {}
ls
openssh-9.7p1 openssh-9.7p1.tar.gz openssl-3.3.0 openssl-3.3.0.tar.gz zlib-1.3.1 zlib-1.3.1.tar.gz
二、升级zlib
sudo ./configure --prefix=/usr/local/zlib
sudo make && sudo make install
三、升级openssl
编译安装
sudo ./config shared zlib --prefix=/usr/local/ssl
sudo make
sudo make install
调整配置路径
sudo mv /usr/bin/openssl /usr/bin/openssl.bak
sudo mv /usr/include/openssl /usr/include/openssl.bak
sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
sudo ln -s /usr/local/ssl/include/openssl /usr/include/openssl
sudo vi /etc/ld.so.conf.d/openssl.conf
sudo cat /etc/ld.so.conf.d/openssl.conf
/usr/local/ssl/lib64
sudo ldconfig
检测openssl版本
openssl version
四、升级openssh
备份ssh配置文件
sudo cp /etc/init.d/ssh /etc/init.d/ssh.old
sudo cp -r /etc/ssh /etc/ssh.old
卸载openssh,避免出现重启后版本变更的问题
sudo apt-get remove openssh-server openssh-client
编译安装
sudo ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd
sudo make
sudo make install
配置新版本openssh
cd /etc/ssh
sudo cp -r ../ssh.old/* ./
sudo mv /etc/init.d/ssh.old /etc/init.d/ssh
设置开机启动ssh
sudo systemctl unmask ssh
Removed symlink /etc/systemd/system/ssh.service.
sudo systemctl daemon-reload
sudo systemctl restart ssh
五、ubuntu遇到错误
1.PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory
sudo apt-get install pam
sudo apt-get install libpam0g-dev
sudo ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/local --with-privsep-path=/var/lib/sshd
sudo make
2.Permission denied, please try again.
vim /etc/ssh/ sshd_config
UsePAM no
3.fatal error: zlib.h: No such file or directory
sudo apt-get install zlib1g-dev