openssh升级
Linux升级OpenSSH
出于对服务器安全考虑,openssh版本过低,很容易被扫描出大量漏洞,更新版本可降低风险 。
一、开启Telnet远程登录
原因:避免在升级过程中,远程掉线或者openssh升级失败,导致远程不上的一种保守措施。
# 1、安装telnetyum install -y telnet telnet-server xinetd# 2、设置开机自启动systemctl enable --now xinetd.servicesystemctl enable --now telnet.socket# 3、配置Telnet服务文件# disable = yes 表示 禁止root用户远程登录# disable = no 表示 允许root用户远程登录cat << EOF | sudo tee /etc/xinetd.d/telnetservice telnet{flags = REUSEsocket_type = streamwait = nouser = rootserver = /usr/sbin/in.telnetdlog_on_failure += USERIDdisable = noinstances = 3}EOF# 4、更改Telnet默认端口;若选择使用默认端口,请忽略此步骤sed -i ''$(grep -rn '^telnet.*23/tcp' /etc/services | cut -d ':' -f1)'c telnet 23230/tcp' /etc/servicessed -i ''$(grep -rn '^telnet.*23/udp' /etc/services | cut -d ':' -f1)'c telnet 23230/udp' /etc/services# 5、重启telnet的管理服务systemctl restart xinetd.service# 6、查看端口是否更改成功netstat -tunlp | grep 23230# 7、# 若需使用root进行登录,则cat >> /etc/securetty << EOFpts/1pts/2pts/3pts/4pts/5pts/6pts/7pts/8pts/9pts/10pts/11EOF
二、升级OpenSSL
# 1、安装依赖yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-develyum install -y pam* zlib*# 2、下载升级包wget https://ftp.openssl.org/source/openssl-3.0.4.tar.gz --no-check-certificatewget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz --no-check-certificate# 3、解压进入升级包目录,并备份旧版本tar xf openssl-3.0.4.tar.gzcd openssl-3.0.4mv /usr/bin/openssl /usr/bin/openssl_oldmv /usr/include/openssl /usr/include/openssl_old# 4、编译安装./config --prefix=/usr/local/openssl && make && make install# 若出现‘Can't locate IPC/Cmd.pm in @INC...’错误,则yum -y install perl-IPC-Cmd# 5、创建软链接,或者直接复制文件ln -s /usr/local/openssl/bin/openssl /usr/bin/opensslln -s /usr/local/openssl/include/openssl /usr/include/openssl或cp -ar /usr/local/openssl/bin/openssl /usr/bin/cp -ar /usr/local/openssl/include/openssl /usr/include# 6、设置加载库# 注意:lib库名称,旧版本是'lib',新版本编译后是'lib64',故 编译完成后检查自己安装的路径lib库名称echo "/usr/local/openssl/lib64" >> /etc/ld.so.confldconfig -v# 7、# 验证版本openssl version# 8、如需卸载opensslfor i in $(rpm -qa | grep openssl);do rpm -e $i --nodeps ;done
三、升级OpenSSH
# 1、解压并进入openssh升级包目录(前面已经下载)tar xf openssh-9.0p1.tar.gzcd openssh-9.0p1# 2、备份旧版ssh目录mv /etc/ssh /etc/ssh_old# 3、编译安装./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening# 注意的是,make和make install,不能使用&&符号连用,否则会安装失败,具体什么原因,本人说不上来,有知道的大佬欢迎批评指正makemake install# 4、备份旧版文件mv /usr/sbin/sshd /usr/sbin/sshd_oldmv /etc/sysconfig/sshd /etc/sysconfig/sshd_oldmv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_old# 5、卸载opensshfor i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done# 6、还原openssh配置文件# 卸载后openssh配置文件会变成rpmsave后缀# 我这里想继续使用原有sshd_config配置,则\cp -a /etc/ssh_old/sshd_config /etc/ssh/sshd_config# mv /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_configmv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_configmv /etc/ssh/moduli.rpmsave /etc/ssh/moduli# 7、替换新版本openssh相关命令\cp -arf /usr/local/openssh/bin/* /usr/bin/\cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd# 8、拷贝启动脚本\cp -a contrib/redhat/sshd.init /etc/init.d/sshd\cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pamchmod +x /etc/init.d/sshd# 9、设置sshd开机自启动,并验证版本systemctl daemon-reloadchkconfig --add sshd && chkconfig sshd onsystemctl start sshdssh -V
systemctl status sshd# 查看服务状态,若有错误警告# Unsupported option GSSAPIAuthentication、Unsupported option GSSAPICleanupCredentials,则# 原因:新版本不支持sed -i 's/GSSAPIAuthentication/#&/g' /etc/ssh/sshd_configsed -i 's/GSSAPICleanupCredentials/#&/g' /etc/ssh/sshd_config# 允许root远程登录sed -i '/PermitRootLogin/s/^#//g' /etc/ssh/sshd_config# 新版本可能未开启一些加密算法,增加安全性sed -ie ''$(grep -rn 'Ciphers and keying' /etc/ssh/sshd_config | cut -d ':' -f1)'a Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n\nMACs hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com \n\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 \n' /etc/ssh/sshd_config# 重启服务systemctl restart sshd
Cloud技术栈
