關於Openssh版本升級問題及版本升級到最新版8.7p1流程(CentOS系統)
阿新 • • 發佈:2021-09-17
前言:
對linux伺服器做過漏洞掃描的都知道,常常伺服器會被掃出一大堆關於openssh的漏洞,諸如下面這些,而其中的原因就是因為openssh版本比較低。於是就需要升級openssh的版本。下面就來解決一下這些問題。網上關於openssh升級版本的教程很多,但在實際過程中總會出現這樣那樣的問題,導致升級失敗,甚至會導致ssh無法連線,本篇綜合各類教程,並搭建了相應的靶機進行實操,親測成功!也算是對這些漏洞的修復畫一個句號。
流程:
安裝前,可以使用ssh -V以及openssl version查詢一下當前版本:
[root@localhost openssl-1.1.1l]# ssh -V OpenSSH_7.4p1, OpenSSL1.0.2k-fips 26 Jan 2017 [root@localhost openssl-1.1.1l]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
1,安裝telnet
先檢視原伺服器有無安裝telnet:
rpm -qa | grep telnet
如果在返回中沒有telnet-server,就代表並未安裝telnet服務端,執行下面操作即可。
直接安裝這三個軟體:
yum -y install telnet telnet-server xinetd
進行一些配置:
systemctl enable xinetd.service systemctl enable telnet.socket
啟動telnet服務:
systemctl start telnet.socket
systemctl start xinetd
使用netstat -antpl | grep 23,如果有返回值,則說明安裝成功
[root@localhost ~]# netstat -antpl | grep 23 tcp6 0 0 :::23 :::* LISTEN 1/systemd
配置telnet連線方式:
vim /etc/securetty
然後在下面新增這幾行:
pts/0 pts/1 pts/2 pts/3
配置完畢之後,使用如下命令,會看到的是這樣:
[root@localhost ~]# tail -5 /etc/securetty xvc0 pts/0 pts/1 pts/2 pts/3
在防火牆上開放23埠:
[root@localhost ~]# firewall-cmd --zone=public --add-port=23/tcp --permanent success
重啟防火牆:
[root@localhost ~]# firewall-cmd --reload
success
檢視防火牆上開放的服務:
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh telnet
可以看到,其中有telnet了。
退出ssh,使用telnet遠端連線,以下均是在telnet連線下的操作。
2,備份
[root@localhost ~]# cp -r /etc/pam.d /etc/pam.d.bak [root@localhost ~]# cp -af /usr/bin/openssl /usr/bin/openssl.old [root@localhost ~]# cp -af /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old [root@localhost ~]# cp -af /usr/lib64/openssl /usr/lib64/openssl.old [root@localhost ~]# cp -af /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old [root@localhost ~]# cp -af /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old [root@localhost ~]# cp -arf /etc/ssh/ /etc/ssh_old
3,關閉selinux並重啟:
[root@localhost ~]# vim /etc/sysconfig/selinux
將其中的SELINUX=enforcing改為SELINUX=disabled
重啟並getenforce:
[root@localhost ~]# reboot [root@localhost ~]# getenforce Disabled
4,升級openssl
下載openssl:https://ftp.openssl.org/source
從該網站下載最新版本的openssl-1.1.1l.tar.gz
拖到linux中,或者wgethttps://ftp.openssl.org/source/openssl-1.1.1l.tar.gz也可。
[root@localhost ~]# ls openssl-1.1.1l.tar.gz
解壓:
tar -zxvf openssl-1.1.1l.tar.gz
[root@localhost ~]# ls openssl-1.1.1l openssl-1.1.1l.tar.gz
進入openssl目錄:
[root@localhost ~]# cd openssl-1.1.1l/ [root@localhost openssl-1.1.1l]# ls ACKNOWLEDGEMENTS CONTRIBUTING INSTALL os-dep apps crypto LICENSE README appveyor.yml demos ms README.ENGINE AUTHORS doc NEWS README.FIPS build.info engines NOTES.ANDROID ssl CHANGES e_os.h NOTES.DJGPP test config external NOTES.PERL tools config.com FAQ NOTES.UNIX util Configurations fuzz NOTES.VMS VMS Configure include NOTES.WIN
清理舊檔案並安裝依賴包:
[root@localhost ~]# yum remove -y openssl [root@localhost ~]# yum remove -y openssh [root@localhost ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel cpan [root@localhost ~]# yum install -y pam* zlib* perl*
檢查檔案並移走備份:
[root@localhost openssl-1.1.1l]# ll /usr/bin/openssl -rwxr-xr-x. 1 root root 555288 Aug 9 2019 /usr/bin/openssl [root@localhost openssl-1.1.1l]# mv /usr/bin/openssl /usr/bin/openssl_bak [root@localhost openssl-1.1.1l]# ls /usr/include/openssl [root@localhost openssl-1.1.1l]# mv /usr/include/openssl /usr/include/openssl_bak
編譯安裝:
[root@localhost openssl-1.1.1l]# ./config --prefix=/usr/local --openssldir=/usr/local/openssl && make && make install
再次安裝:
[root@localhost openssl-1.1.1l]# ./config shared && make && make install
檢查編譯安裝結果,如果輸出為0,則代表安裝成功:
[root@localhost openssl-1.1.1l]# echo $? 0
配置openssl:
[root@localhost openssl-1.1.1l]# ln -s /usr/local/bin/openssl /usr/bin/openssl [root@localhost openssl-1.1.1l]# ln -s /usr/local/include/openssl /usr/include/openssl [root@localhost openssl-1.1.1l]# ll /usr/bin/openssl lrwxrwxrwx. 1 root root 22 Sep 17 16:19 /usr/bin/openssl -> /usr/local/bin/openssl [root@localhost openssl-1.1.1l]# ll /usr/include/openssl -ld drwxr-xr-x. 2 root root 4096 Sep 17 16:19 /usr/include/openssl [root@localhost openssl-1.1.1l]# echo "/usr/local/lib" >> /etc/ld.so.conf [root@localhost openssl-1.1.1l]# echo "/usr/local/lib64/" >> /etc/ld.so.conf [root@localhost openssl-1.1.1l]# /sbin/ldconfig [root@localhost openssl-1.1.1l]# cp libcrypto.so.1.1 libssl.so.1.1 /usr/lib64
安裝成功,檢視openssl版本:
[root@localhost openssl-1.1.1l]# openssl version OpenSSL 1.1.1l 24 Aug 2021
5,升級openssh
下載openssh:https://openbsd.hk/pub/OpenBSD/OpenSSH/portable
這裡下載最新版本:openssh-8.7p1.tar.gz
拖拽或者直接wgethttps://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz均可。
[root@localhost ~]# ls openssh-8.7p1.tar.gz openssl-1.1.1l openssl-1.1.1l.tar.gz
解壓:
[root@localhost ~]# tar -zxvf openssh-8.7p1.tar.gz
[root@localhost ~]# ls openssh-8.7p1 openssl-1.1.1l openssh-8.7p1.tar.gz openssl-1.1.1l.tar.gz
進入openssh目錄:
[root@localhost ~]# cd openssh-8.7p1/ [root@localhost openssh-8.7p1]#
編譯檔案:
[root@localhost openssh-8.7p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening
最後應該為這個樣子:
config.status: config.h is unchanged OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no MD5 password support: yes libedit support: no libldns support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: seccomp_filter PKCS#11 support: yes U2F/FIDO support: yes Host: x86_64-pc-linux-gnu Compiler: cc Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fstack-protector-strong Preprocessor flags: -I/usr/local/openssl -I/usr/local/lib64 -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE Linker flags: -L/usr/local/openssl -L/usr/local/lib64 -fstack-protector-strong Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv +for sshd: -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory
檢查輸出結果:
[root@localhost openssh-8.7p1]# echo $? 0
為0說明編譯正常。
安裝:
[root@localhost openssh-8.7p1]# make [root@localhost openssh-8.7p1]# echo $? 0
[root@localhost openssh-8.7p1]# chmod 600 /etc/ssh/ssh_host* [root@localhost openssh-8.7p1]# make install
[root@localhost openssh-8.7p1]# echo $?
0
配置ssh並啟動:
[root@localhost openssh-8.7p1]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config [root@localhost openssh-8.7p1]# grep "^PermitRootLogin" /etc/ssh/sshd_config PermitRootLogin yes [root@localhost openssh-8.7p1]# echo "UseDNS no" >> /etc/ssh/sshd_config [root@localhost openssh-8.7p1]# grep "UseDNS" /etc/ssh/sshd_config #UseDNS no UseDNS no [root@localhost openssh-8.7p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd [root@localhost openssh-8.7p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam [root@localhost openssh-8.7p1]# chmod +x /etc/init.d/sshd [root@localhost openssh-8.7p1]# chkconfig --add sshd [root@localhost openssh-8.7p1]# systemctl enable sshd sshd.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig sshd on [root@localhost openssh-8.7p1]# chkconfig sshd on
移走原先服務,有報錯可以無視:
[root@localhost openssh-8.7p1]# mv /usr/lib/systemd/system/sshd.service /home/ mv: cannot stat ‘/usr/lib/systemd/system/sshd.service’: No such file or directory
重啟sshd:
[root@localhost openssh-8.7p1]# /etc/init.d/sshd restart Restarting sshd (via systemctl): [ OK ]
檢視是否正常開放:
[root@localhost openssh-8.7p1]# netstat -antpl Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 784/rpcbind tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1804/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 107261/sshd: /usr/s tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1309/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1660/master tcp6 0 0 :::111 :::* LISTEN 784/rpcbind tcp6 0 0 :::22 :::* LISTEN 107261/sshd: /usr/s tcp6 0 0 :::23 :::* LISTEN 1/systemd tcp6 0 0 ::1:631 :::* LISTEN 1309/cupsd tcp6 0 0 ::1:25 :::* LISTEN 1660/master tcp6 0 2 192.168.145.139:23 192.168.145.2:1205 ESTABLISHED 1/systemd
檢視版本:
[root@localhost openssh-8.7p1]# ssh -V OpenSSH_8.7p1, OpenSSL 1.1.1l 24 Aug 2021
使用ssh測試連通:
[C:\~]$ ssh 192.168.145.139 Connecting to 192.168.145.139:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. WARNING! The remote SSH server rejected X11 forwarding request. Last login: Fri Sep 17 17:17:26 2021 from 192.168.145.2 [root@localhost ~]#
6,關閉並解除安裝telnet:
[root@localhost ~]# systemctl disable xinetd.service Removed symlink /etc/systemd/system/multi-user.target.wants/xinetd.service. [root@localhost ~]# systemctl stop xinetd.service [root@localhost ~]# systemctl disable telnet.socket Removed symlink /etc/systemd/system/sockets.target.wants/telnet.socket. [root@localhost ~]# systemctl stop telnet.socket [root@localhost ~]# netstat -antpl Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 750/rpcbind tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1502/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1245/sshd: /usr/sbi tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1191/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1509/master tcp 0 36 192.168.145.139:22 192.168.145.2:15925 ESTABLISHED 1996/sshd: root@pts tcp6 0 0 :::111 :::* LISTEN 750/rpcbind tcp6 0 0 :::22 :::* LISTEN 1245/sshd: /usr/sbi tcp6 0 0 ::1:631 :::* LISTEN 1191/cupsd tcp6 0 0 ::1:25 :::* LISTEN 1509/master
結束!