Centos7 漏洞修复

破烂王
538 阅读2分钟

OpenSSH 信息泄露漏洞(CVE-2018-15919)

更新openssl

  1. 下载 opensshopenssl openssl1.0.2openssh-8.1p1
  2. 解压
mkdir /apps
mv openssl-1.0.2r.tar.gz openssh-8.1p1.tar.gz /apps
cd /apps
tar xfz openssl-1.0.2r.tar.gz
tar xfz openssh-8.1p1.tar.gz /apps
  1. 修改属主用户
chown -R root. *
  1. 备份原文件
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
  1. 安装openssl
cd /apps/openssl-1.0.2r
./config shared && make && make install
  1. 添加软连接
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
  1. 查看openssl版本
openssl version

image.png

更新openssh

  1. 备份原文件
cp -r /etc/ssh /tmp
rm -rf /etc/ssh
  1. 开始安装编译
cd /apps/openssh-8.1p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl/lib/ --with-zlib --with-md5-passwords --with-pam && make && make install

看到以下内容表示成功

image.png

  1. 正式安装
grep '^#GSSAPI*' /etc/ssh/sshd_config

# 修改配置使root可以登录
vim /etc/ssh/sshd_config
把 #PermitRootLogin prohibit-password改为 PermitRootLogin yes
把UsePAM no改为UsePAM yes

install -v -m755 contrib/ssh-copy-id /usr/bin

cp -a contrib/redhat/sshd.init /etc/init.d/sshd

chmod +x /etc/init.d/sshd

chkconfig --add sshd

systemctl enable sshd

mv /usr/lib/systemd/system/sshd.service /root/ssh_bak

chkconfig sshd on
  1. 查看ssh版本
ssh -V

OpenSSH 安全漏洞(CVE-2021-41617)

  1. 下载依赖
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib*
  1. 下载openssl1.1.1g openssh-8.8p1
  2. 解压
tar -zxvf openssl-1.1.1p.tar.gz
tar -zxvf openssh-8.8p1.tar.gz
  1. 修改属组用户
chown -R root. open*

升级openssl

cd openssl-1.1.1p
./config --prefix=/usr/local/ssl -d shared
make && make install

mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl 
ln -s /usr/local/ssl/include/openssl /usr/include/openssl

echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
ldconfig -v

升级openssh

  1. 编译安装

cp -r /etc/ssh /tmp/
rm -rf /etc/ssh

cd openssh-8.8p1
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
make clean && make && make install
  1. 修改sshd_config文件
echo 'PermitRootLogin yes' >>/usr/local/openssh/etc/sshd_config
echo 'PubkeyAuthentication yes' >>/usr/local/openssh/etc/sshd_config
echo 'PasswordAuthentication yes' >>/usr/local/openssh/etc/sshd_config
  1. 备份原文件,并将新的配置复制到指定目录
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd.bak
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
mv /usr/bin/ssh /usr/bin/ssh.bak
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
mv /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub.bak
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
  1. 重启ssh
systemctl restart sshd
reboot
avatar
文章
阅读
粉丝