centos6.x openssh漏洞修复

为保障在升级openssh过程中出现网络中断导致连接不上服务器，建议先安装telnet服务，当网络中断时，可通过telnet远程到服务器。

一、安装telnet服务

yum install xinetd 依赖
yum install telnet 客户端
yum install telnet-server 服务端
vim /etc/xinetd.d/telnet
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        #disable        = yes             【将disable=yes行前加#注释掉，或者把yes改为no】
}

telnet登录设置

1、通过ssh进入系统，或者其他方式
执行命令：vim /etc/pam.d/login

vim /etc/pam.d/login
#%PAM-1.0
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so
~                                           

2、securetty 设置
执行命令编辑securetty：vim /etc/securetty

vim /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
tty1
tty2
tty3
pts/0
pts/1

把pts/0加入到securetty文件中，保存并退出，重启telnet服务。
重启telnet服务命令：/etc/init.d/xinetd resatrt

/etc/init.d/xinetd resatrt

3、执行tail -f /var/log/secure，查看登录日志:

tail -f /var/log/secure
Jun 29 16:22:15 localhost login: FAILED LOGIN 1 FROM 77.241.193.14 FOR root, Authentication failure
Jun 29 16:22:16 localhost login: pam_unix(remote:auth): check pass; user unknown
Jun 29 16:22:16 localhost login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/3 ruser= rhost=77.241.193.14 

如果Authentication failure 查看第二部，确认服务是否重启

二、OpenSSH 升级

检查系统环境

目前自带的openssl版本符合安装条件，自带的zlib也符合依赖。如果达不到版本可以进行升级后进行openssh升级

[root@localhost ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@localhost ~]# rpm -q zlib
zlib-1.2.3-29.el6.x86_64
[root@localhost ~]# rpm -q zlib-devel
zlib-devel-1.2.3-29.el6.x86_64

安装相关组件

安装依赖

yum install -y gcc gcc-c++ glibc make autoconf  openssl-devel pcre-devel pam-devel rpm-build    

升级openssh版本

1、下载安装包：wget -P /usr/local/src https://cikeblog.com/e/openssh-8.0p1.tar.gz

wget -P /usr/local/src https://cikeblog.com/e/openssh-8.0p1.tar.gz 
--2020-06-29 16:30:25--  https://cikeblog.com/e/openssh-8.0p1.tar.gz
Resolving cikeblog.com... 159.138.1.106
Connecting to cikeblog.com|159.138.1.106|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1597697 (1.5M) [application/octet-stream]
Saving to: “/usr/local/src/openssh-8.0p1.tar.gz”
100%[==================================================================================>] 1,597,697    522K/s   in 3.0s    
2020-06-29 16:30:29 (522 KB/s) - “/usr/local/src/openssh-8.0p1.tar.gz” saved [1597697/1597697]

2、卸载系统自带的openssh

rpm -qa | grep openssh
rpm -e  `rpm -qa|grep openssh`   --nodeps    

3、解压openssh安装包

cd /usr/local/src && tar -zxf openssh-8.0p1.tar.gz && cd openssh-8.0p1  

4、编译安装

./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam --with-tcp-wrappers 
make -j4 && make install   

5、修改配置文件

sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords\(.*\)/PermitEmptyPasswords\ no/g' /etc/ssh/sshd_config  
cp contrib/redhat/sshd.init /etc/init.d/sshd 
chkconfig --add sshd
chkconfig sshd on

6、重启

service sshd start
service sshd restart        
ssh -V          

升级完成后，退出服务器后重新登录。确认ssh可以登录服务器

三、卸载Telnet服务

mv /etc/securetty.bak /etc/securetty
service xinetd stop
chkconfig xinetd off
service iptables start
chkconfig iptables on
yum remove telnet-server xinetd