OpenSSH和OpenSSL升级加固

  sre

查看当前版本

查看OpenSSH版本:

ssh –V

查看OpenSSL版本:

openssl version

如果OpenSSH版本低于7.4p1,OpenSSL版本低于1.0.2k,则需要进行此项升级。

升级准备

下载升级需要的源码包:

wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz --no-check-certificate
wget https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz --no-check-certificate

关闭防火墙:

service iptables stop

开启telnet server,防止升级SSH时导致远程连接异常无法操作,OpenSSH升级完毕以后需要关闭并卸载telnet server服务:

yum install –y telnet-server
vim /etc/xinetd.d/telnet
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no #此处yes改成no
}
service xinetd restart

添加临时账户,telnet server默认不允许root账户登录,使用临时非root账户:

useradd test
passwd test

使用telnet和临时账户登录系统:

telnet 192.168.2.2

升级zlib

升级OpenSSH和OpenSSL需要升级zlib。

tar zxvf zlib-1.2.11.tar.gz 
cd zlib-1.2.11
./configure
make && make install
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig

升级OpenSSL

tar zxvf openssl-1.0.2k.tar.gz 
cd openssl-1.0.2k
./config shared -fPIC
make && make install
echo "/usr/local/ssl/lib " >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl version 

升级OpenSSH

yum install –y pam-devel # 缺少pam-devel会报错
rm -rf /etc/init.d/sshd /etc/ssh /usr/bin/scp /usr/bin/sftp /usr/bin/ssh* /usr/sbin/sshd
tar zxvf openssh-7.4p1.tar.gz 
cd openssh-7.4p1
./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/ssl  --mandir=/usr/share/man --with-zlib=/usr/local/zlib --with-privsep-path=/var/empty --with-privsep-user=sshd --with-ssl-engine
make && make install
ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
ln -s /usr/local/ssh/bin/scp /usr/bin/scp
ln -s /usr/local/ssh/bin/sftp /usr/bin/sftp
ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
touch /etc/ssh/ssh_host_key.pub
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
vi /etc/ssh/sshd_config

找到#PermitRootLogin prohibit-password,修改为PermitRootLogin yes,保存退出;

/etc/init.d/sshd start
service sshd status
ssh –V

显示“OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017”则表示升级成功。

关闭并卸载Telnet

service xinetd stop
rm -rf /etc/xinetd.d/telnet
rpm -e -nodeps telnet-server

LEAVE A COMMENT

Captcha Code