Openssh漏洞修复
系统版本centerOS7
漏斗报告
(1)OpenSSH 命令注入漏洞(CVE-2020-15778)
(2)OpenSSH 安全漏洞(CVE-2021-41617)
(3)OpenSSH信息泄露漏洞(CVE-2020-14145)
(4)OpenSSH 安全漏洞(CVE-2016-20012)
漏洞修复软件安装包下载地址
(1)阿里云镜像:pub-OpenBSD-OpenSSH-portable安装包下载_开源镜像站-阿里云
(2)Liunx资源库:Rpmfind mirror
(3)Openssl下载地址:Index of /source
(4)Openssh下载地址:https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
安装telnet(*)
(1)修复openssh非常重要的一步,打开telnet或VNC,如果openssh升级失败或其他原因会造成SSH连接不上。
(2)根据系统版本下载软件:telnet,telnet-server,xinetd(以下为我下载版本,系统CenterOS7):
telnet-0.17-65.el7_8.x86_64.rpm
telnet-server-0.17-65.el7_8.x86_64.rpm
xinetd-2.3.15-14.el7.x86_64.rpm(telnet依赖包,telnet-server启动必要依赖)
(4)如果已经安装直接进入测试,telnet是否可使用(保证在ssh不可用状态下能用telnet远程连接),或者卸载重装,卸载:
rpm -e telnet-0.17-64.el7.x86_64
rpm -e telnet-server-0.17-65.el7.x86_64
rpm -e xinetd-2.3.15-14.el7.x86_64
(5)上传安装telnet,顺序(xinetd-->telnet-->telnet-server):
rpm -e telnet-0.17-64.el7.x86_64
rpm -e telnet-server-0.17-65.el7.x86_64
rpm -e xinetd-2.3.15-14.el7.x86_64
(6)创建或修改开启telnet服务配置:vi /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server =/usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
#注意disable默认是yes,不开启服务,改成no才能启动telnet,当升级完openssh后为了服务器安全记得关闭telnet。
(7)检测telnet,xinetd安装:
rpm -qa | grep telnet
rpm -qa | grep xinetd
(8)重启xinetd:
service xinetd restart
systemctl restart xinetd.service
(9)设置开机启动:
systemctl start telnet.socket
systemctl enable telnet.socket
systemctl status telnet.socket
(10)解决远程连接报错:
[root@111 xinetd.d]# telnet **.***.***.***
Trying **.***.***.***...
Connected to **.***.***.***.
Escape character is '^]'.
CentOS Linux 7 (Core)
Kernel 3.10.0-1062.9.1.el7.x86_64 on an x86_64
bpzj2-weide login: root
Password:
Login incorrect
解决方案:注释/etc/pam.d/remote的第一行。
[root@222 pam.d]# cat remote
#%PAM-1.0
#auth required pam_securetty.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
(11)允许root用户登录:
mv /etc/securetty /etc/securetty.bak
service xinetd restart
(12)重启验证telnet。
安装升级openssh(openssl)
(1)安装相关依赖包:
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib*
(2)解压安装包,并移动到目录:
tar zxvf openssl-1.1.1m.tar.gz
cd openssl-1.1.1m
(3)检测安装环境:
./config --prefix=/usr/local/openssl
(4)编译并安装:
make && make install
(5)替换当前系统的旧版本openssl(先保存原来的)
which openssl
/usr/bin/openssl #注意下面替换地址
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old
mv /usr/lib64/libssl.so /usr/lib64/libssl.so.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
(6)安装成功,验证系统版本(重启验证):
openssl version
(7)查看openssl版本:
ssh -V
(8)上传openssh,并解压:
tar -xvf openssh-8.9p1.tar.gz
cd openssh-8.9p1
(9)移除旧版本:
mv /etc/ssh /etc/ssh.old
(10)编译并安装:
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib --without-hardening
make && make install
(11)修改启动脚本
#拷贝启动脚本
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
#修改启动脚本
vi /etc/init.d/sshd
#此路径是你安装新版本的openssh路径,根据你的实际情况修改
SSHD=/usr/local/openssh/sbin/sshd
(12)修改sshd配置文件/etc/ssh/sshd_config
#直接用root登录终端(此处根据自身情况考虑)
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
#设置是否允许X11转发
echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
#是否允许密码验证
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
(13)卸载原有ssh
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
将警告中被修改的文件名字再改回来
mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
mv /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli
(14)检查运行状态:
systemctl status sshd
(15)设置开机启动
systemctl enable sshd --now
(16)重启查看版本
ssh -V