Centos7 OpenSSH漏洞整改

绝地灬酷狼 2023-01-22 15:50 4阅读 0赞

OpenSSHow漏洞风险提示，因此需要进行升级整改

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70][]

## ![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 1][] ##

## 一、安装telnet(以防升级失败，ssh连不上服务器) ##

1、查看是否已经安装telnet服务

[root@localhost ~]# rpm -qa|grep telnet
    [root@localhost ~]# rpm -qa|grep xinetd

2、yum安装

[root@localhost ~]# yum -y install telnet* 
    [root@localhost ~]# yum -y install xinetd

3、启动telnet服务并设置自动启动

[root@localhost ~]# systemctl enable xinetd.service
    [root@localhost ~]# systemctl start  xinetd.service
    
    [root@localhost ~]# systemctl enable telnet.socket
    [root@localhost ~]# systemctl start  telnet.socket

4、添加

#在文本最后添加
    [root@localhost ~]# vi /etc/securetty 
    pts/0
    pts/1
    pts/2
    
    #查看
    [root@localhost ~]# tail -3 /etc/securetty 
    pts/0
    pts/1
    pts/2

5、重启服务并查看端口

[root@localhost ~]# systemctl restart xinetd
    [root@localhost ~]# ss -ntlp|grep 23
    LISTEN     0      128         :::23                      :::*                   users:(("systemd",pid=1,fd=43))

## 二、升级OpenSSl ##

1、查看系统原版本

[root@localhost ~]# openssl version
    OpenSSL 1.0.2k-fips  26 Jan 2017

2、下载[https://ftp.openssl.org/source/][https_ftp.openssl.org_source]

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 2][]

3、安装依赖包

[root@localhost ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib*

4、解压

[root@localhost ~]# tar zxvf openssl-1.1.1k.tar.gz

5、检测环境

[root@localhost ~]# cd openssl-1.1.1k
    [root@localhost openssl-1.1.1k]# ./config --prefix=/usr/local/openssl

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 3][]

6、编译并安装

[root@localhost openssl-1.1.1k]# make && make install

7、替换当前系统的旧版本openssl(先保存原来的)

[root@localhost openssl-1.1.1k]# which openssl
    /usr/bin/openssl
    [root@localhost openssl-1.1.1k]# mv /usr/bin/openssl /usr/bin/openssl.old
    [root@localhost openssl-1.1.1k]# mv /usr/lib64/openssl /usr/lib64/openssl.old
    [root@localhost openssl-1.1.1k]# mv /usr/lib64/libssl.so /usr/lib64/libssl.so.old
    
    [root@localhost openssl-1.1.1k]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
    [root@localhost openssl-1.1.1k]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
    [root@localhost openssl-1.1.1k]# ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so
    [root@localhost openssl-1.1.1k]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
    [root@localhost openssl-1.1.1k]# ldconfig -v

8、确认版本

![20210521082551579.png][]

## 三、升级openssh ##

1、查看系统原版本

[root@localhost ~]# ssh -V
    OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

2、下载[https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/][https_openbsd.hk_pub_OpenBSD_OpenSSH_portable]

![20210521083957223.png][]

3、解压

[root@localhost ~]# tar zxvf openssh-8.6p1.tar.gz

4、移除旧版本

#移除之后，不能退出当前终端。若退出，只能通过telnet连接
    [root@localhost ~]# mv /etc/ssh /etc/ssh.old

5、编译并安装

[root@localhost ~]# cd openssh-8.6p1
    [root@localhost openssh-8.6p1]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib --without-hardening
    
    [root@localhost openssh-8.6p1]# make && make install

6、修改启动脚本

#拷贝启动脚本
    [root@localhost openssh-8.6p1]# cp ./contrib/redhat/sshd.init /etc/init.d/sshd
    
    #修改启动脚本
    [root@localhost openssh-8.6p1]# vi /etc/init.d/sshd
    
    #按如下图修改,需要注意，此路径是你安装新版本的openssh路径，根据你的实际情况修改
    SSHD=/usr/local/openssh/sbin/sshd

![20210521085404186.png][]

7、修改sshd配置文件/etc/ssh/sshd\_config

#直接用root登录终端（此处根据自身情况考虑）
    [root@localhost openssh-8.6p1]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
    #设置是否允许X11转发
    [root@localhost openssh-8.6p1]# echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
    #是否允许密码验证
    [root@localhost openssh-8.6p1]# echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config

8、卸载原有ssh（先安装后卸载，也是怕升级失败）

for i in  $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done

提示告警

![20210521091530105.png][]

将警告中被修改的文件名字再改回来

[root@localhost ~]# mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
    [root@localhost ~]# mv /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
    [root@localhost ~]# mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli

9、替换相关命令，并重启sshd服务

[root@localhost ~]# cp -arp /usr/local/openssh/bin/* /usr/bin/
    [root@localhost ~]# systemctl restart sshd

10、验证升级版本

![20210521092330831.png][]

11、设置开机启动

[root@localhost ~]# systemctl enable sshd

12、ssh正常登陆之后为了系统安全，需要停用telnet服务

[root@localhost ~]# systemctl stop xinetd
    [root@localhost ~]# systemctl disable  xinetd
    
    [root@localhost ~]# systemctl stop telnet.socket
    [root@localhost ~]# systemctl disable  telnet.socket

## 四、隐藏openssh版本号 ##

修改ssh默认端口之后，版本号也想隐藏

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 4][]

1、（重点）要在执行编译步骤之前修改version.h文件

[root@localhost ~]# cd openssh-8.6p1
    [root@localhost openssh-8.6p1]# vi version.h 
    
    /* $OpenBSD: version.h,v 1.90 2021/04/16 03:42:00 djm Exp $ */
    
    #define SSH_VERSION     "OpenSSH_8.6"
    
    #define SSH_PORTABLE    "p1"
    #define SSH_RELEASE     SSH_VERSION SSH_PORTABLE

修改前，删除版本号

![20210521172635671.png][]

修改后

![20210521172900424.png][]

2、接着按照第三大点执行编译和后面的步骤即可

3、再次查看已经没有版本号

![20210521173256751.png][]

4、再次扫描查看

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 5][]

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70]: /images/20221020/f5564e1469ac47b5b7e68641a655b9ef.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 1]: /images/20221020/b13b85ebaa1345b18c9942c23f7111bd.png
[https_ftp.openssl.org_source]: https://ftp.openssl.org/source/
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 2]: /images/20221020/af5a808a9c454d7e92de1ef23ad455ba.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 3]: /images/20221020/53929f6ba4864912a1ff225d024dc7af.png
[20210521082551579.png]: /images/20221020/71286184ad7f4ad4bd0c78a9a5610102.png
[https_openbsd.hk_pub_OpenBSD_OpenSSH_portable]: https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
[20210521083957223.png]: /images/20221020/d129cf7457ff4c09b618a4bcfadddaa7.png
[20210521085404186.png]: /images/20221020/484868d59ffa44bd9713cb99f29f28e1.png
[20210521091530105.png]: /images/20221020/c7ed9006bb0b43b99ca1ea1fb9e3f678.png
[20210521092330831.png]: /images/20221020/67bd5966c7124790a50c0d77e082f97e.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 4]: /images/20221020/1d5f6d69008a4fb1a21fb2eb55059942.png
[20210521172635671.png]: /images/20221020/bd039ca9b7c340118d32dc847b66b7f4.png
[20210521172900424.png]: /images/20221020/3be597a43329423d93a3116d1782061d.png
[20210521173256751.png]: /images/20221020/3c88122cda70496da77cdd08a7346ddb.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3RsYWRhZ2lv_size_16_color_FFFFFF_t_70 5]: /images/20221020/745a910f772544a1a321c07ebc53e276.png