OpenSSH和OpenSSL升级加固
查看当前版本
查看OpenSSH版本:
ssh –V
查看OpenSSL版本:
openssl version
如果OpenSSH版本低于7.4p1,OpenSSL版本低于1.0.2k,则需要进行此项升级。
升级准备
下载升级需要的源码包:
wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz --no-check-certificate
wget https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz --no-check-certificate
关闭防火墙:
service iptables stop
开启telnet server,防止升级SSH时导致远程连接异常无法操作,OpenSSH升级完毕以后需要关闭并卸载telnet server服务:
yum install –y telnet-server
vim /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no #此处yes改成no
}
service xinetd restart
添加临时账户,telnet server默认不允许root账户登录,使用临时非root账户:
useradd test
passwd test
使用telnet和临时账户登录系统:
telnet 192.168.2.2
升级zlib
升级OpenSSH和OpenSSL需要升级zlib。
tar zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make && make install
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig
升级OpenSSL
tar zxvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config shared -fPIC
make && make install
echo "/usr/local/ssl/lib " >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl version
升级OpenSSH
yum install –y pam-devel # 缺少pam-devel会报错
rm -rf /etc/init.d/sshd /etc/ssh /usr/bin/scp /usr/bin/sftp /usr/bin/ssh* /usr/sbin/sshd
tar zxvf openssh-7.4p1.tar.gz
cd openssh-7.4p1
./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/ssl --mandir=/usr/share/man --with-zlib=/usr/local/zlib --with-privsep-path=/var/empty --with-privsep-user=sshd --with-ssl-engine
make && make install
ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
ln -s /usr/local/ssh/bin/scp /usr/bin/scp
ln -s /usr/local/ssh/bin/sftp /usr/bin/sftp
ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
touch /etc/ssh/ssh_host_key.pub
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
vi /etc/ssh/sshd_config
找到#PermitRootLogin prohibit-password
,修改为PermitRootLogin yes
,保存退出;
/etc/init.d/sshd start
service sshd status
ssh –V
显示“OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017”则表示升级成功。
关闭并卸载Telnet
service xinetd stop
rm -rf /etc/xinetd.d/telnet
rpm -e -nodeps telnet-server