OpenSSH7.4升级到OpenSSH 9.8p1
因linux服务器centos 7.57.67.9 都扫描出ssh的低版本漏洞需要升级。升级思路1.多打开几个ssh窗口以及打开telnet避免ssh升级过程中断开无法连上远程。2.升级OpenSSL为高版本OpenSSL 3.5.73.然后升级OpenSSH7.4到OpenSSH_9.8p1[root ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017升级前准备多打开几个ssh窗口以及打开telnet网上查资料打开telnet要有pts但是CentOS7.6 /etc/securetty 无 pts一、先给 securetty 添加 pts 虚拟终端你当前文件缺少这部分1. 一键追加 pts 行直接复制执行echo -e pts/0\npts/1\npts/2\npts/3\npts/4\npts/5\npts/6\npts/7\npts/8\npts/9 /etc/securetty2. 验证是否写入成功[root openssh-9.8p1]# cat /etc/securetty console vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 ttyS0 ttysclp0 sclp_line0 3270/tty1 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvsi0 hvsi1 hvsi2 xvc0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9二、确认 telnet 服务配置/etc/xinetd.d/telnetvi /etc/xinetd.d/telnetservice telnet { disable no flags REUSE socket_type stream wait no user root server /usr/sbin/in.telnetd log_on_failure USERID }关键disable no开启 telnet三、防火墙放行 23 端口firewall-cmd --permanent --add-port23/tcp firewall-cmd --reload # 查看端口 firewall-cmd --list-ports四、关闭 SELinux否则大概率登录失败setenforce 0如果要永久关闭则用sed -i s/SELINUXenforcing/SELINUXdisabled/ /etc/selinux/config五、重启 xinetd 服务生效systemctl restart xinetd systemctl enable xinetd systemctl status xinetd六、测试登录# 本地自测 telnet 127.0.0.1 # 远程替换服务器IP telnet 你的服务器IP安全提醒telnet 明文传输账号密码仅内网临时应急使用公网严禁开放用完立即关闭后续的关闭方法当前打开的时候先跳过后面升级完了systemctl stop xinetd systemctl disable xinetd firewall-cmd --permanent --remove-port23/tcp firewall-cmd --reload------------------------------------------------------安装openssl-3.5.7# 安装编译依赖 yum groupinstall Development Tools -y yum install zlib-devel perl-IPC-Cmd perl-Data-Dumper wget -y yum install gcc gcc-c make zlib-devel pam-devel openssl-devel perl -y yum install perl-Time-Piece perl-core gcc gcc-c make zlib-devel -y # 下载解压3.5.7源码 也可以手动下载了上传上去下载比较慢 cd /usr/local/src wget https://www.openssl.org/source/openssl-3.5.7.tar.gz tar -zxf openssl-3.5.7.tar.gz cd openssl-3.5.7 # 独立目录编译核心不覆盖系统 ./config --prefix/usr/local/openssl3.5.7 --openssldir/usr/local/openssl3.5.7 shared zlib make -j$(nproc) make install # 加载新版库仅编译openssh时生效不影响系统 echo /usr/local/openssl3.5.7/lib64 /etc/ld.so.conf.d/openssl3.5.7.conf ldconfig # 验证新版 /usr/local/openssl3.5.7/bin/openssl version # 系统原版不受影响 openssl version------------------------------------------------------安装OpenSSH 9.8p1#编译安装 OpenSSH 9.8p1指定 OpenSSL 3.5.7 cd /usr/local/src # 下载源码包 wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz # 解压 tar -zxvf openssh-9.8p1.tar.gz cd openssh-9.8p1 # configure 指定ssl路径、pam认证、系统ssh配置目录、指定 OpenSSL 3.5.7 ./configure \ --prefix/usr/local/openssh-9.8p1 \ --sysconfdir/etc/ssh \ --with-pam \ --with-zlib \ --with-ssl-dir/usr/local/openssl3.5.7 # 编译 make -j$(nproc) # 安装 make install # 会报错 执行如下 sed -i s/^GSSAPIAuthentication/#GSSAPIAuthentication/ /etc/ssh/sshd_config sed -i s/^GSSAPICleanupCredentials/#GSSAPICleanupCredentials/ /etc/ssh/sshd_config vi /etc/pam.d/sshd #原有新增的 auth [success1 defaultignore] pam_succeed_if.so uid 0 quiet 改为 auth [successdone defaultignore] pam_succeed_if.so uid 0 quiet------------------------------------------------------关闭telnet#1. 停止并禁用 telnet 依赖服务 xinetd # 停止服务 systemctl stop xinetd # 取消开机自启 systemctl disable xinetd # 确认状态显示inactive dead即关闭成功 systemctl status xinetd #2. 防火墙删除 23 端口放行规则 # 永久移除23端口 firewall-cmd --permanent --remove-port23/tcp # 重载防火墙生效 firewall-cmd --reload # 校验端口列表无23/tcp代表删除成功 firewall-cmd --list-ports # 3. 恢复 /etc/securetty 原始安全配置删除新增的 pts 行 sed -i /pts\//d /etc/securetty cat /etc/securetty #输出不再有pts/0、pts/1...即可。

相关新闻