OpenSSH和OpenSSL升级加固

发表于： 2020-10-26 2020-10-26
分类： SRE
标签： bash, Linux, ssh, tar, 安全

查看当前版本

查看OpenSSH版本：

ssh –V

查看OpenSSL版本：

openssl version

如果OpenSSH版本低于7.4p1，OpenSSL版本低于1.0.2k，则需要进行此项升级。

升级准备

下载升级需要的源码包：

wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz --no-check-certificate
wget https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz --no-check-certificate

关闭防火墙：

service iptables stop

开启telnet server，防止升级SSH时导致远程连接异常无法操作，OpenSSH升级完毕以后需要关闭并卸载telnet server服务：

yum install –y telnet-server

vim /etc/xinetd.d/telnet

service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no #此处yes改成no
}

service xinetd restart

添加临时账户，telnet server默认不允许root账户登录，使用临时非root账户：

useradd test
passwd test

使用telnet和临时账户登录系统：

telnet 192.168.2.2

升级zlib

升级OpenSSH和OpenSSL需要升级zlib。

tar zxvf zlib-1.2.11.tar.gz 
cd zlib-1.2.11
./configure
make && make install
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig

升级OpenSSL

tar zxvf openssl-1.0.2k.tar.gz 
cd openssl-1.0.2k
./config shared -fPIC
make && make install
echo "/usr/local/ssl/lib " >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl version

升级OpenSSH

yum install –y pam-devel # 缺少pam-devel会报错
rm -rf /etc/init.d/sshd /etc/ssh /usr/bin/scp /usr/bin/sftp /usr/bin/ssh* /usr/sbin/sshd
tar zxvf openssh-7.4p1.tar.gz 
cd openssh-7.4p1
./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/ssl  --mandir=/usr/share/man --with-zlib=/usr/local/zlib --with-privsep-path=/var/empty --with-privsep-user=sshd --with-ssl-engine
make && make install
ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
ln -s /usr/local/ssh/bin/scp /usr/bin/scp
ln -s /usr/local/ssh/bin/sftp /usr/bin/sftp
ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
touch /etc/ssh/ssh_host_key.pub
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on

vi /etc/ssh/sshd_config

找到#PermitRootLogin prohibit-password，修改为PermitRootLogin yes，保存退出；

/etc/init.d/sshd start
service sshd status
ssh –V

显示“OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017”则表示升级成功。

关闭并卸载Telnet

service xinetd stop
rm -rf /etc/xinetd.d/telnet
rpm -e -nodeps telnet-server

sre

318