centOS 7.9 65bit 修复Openssh漏洞

jiang0615csdn2025-03-29 17:40

一、背景:

在使用centos 7.9 64bit版本操作系统时有扫描出如下的漏洞:

二、修复openssh漏洞操作

升级注意事项 (一下所有的操作默认都是root或者管理员权限,如果遇到权限问题每个指令以及指令组合都要在前面加sudo)

1、查看CentOS操作系统信息:

(1)cat /etc/issue 查看版本

复制代码 
[root@ecs-ab49 ~]# cat /etc/issue
\S
Kernel \r on an \m

(2)cat /etc/redhat-release 查看版本(推荐)

bash 复制代码 
[root@ecs-ab49 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

(3)cat /proc/version 查看内核

bash 复制代码 
[root@ecs-ab49 ~]# cat /proc/version
Linux version 3.10.0-1160.119.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Tue Jun 4 14:43:51 UTC 2024

2、环境依赖准备:

(1)OpenSSL版本:目前OpenSSH8.0不支持OpenSSH1.1.x以上。否则编译的时候会报错。

bash 复制代码 
[root@ecs-ab49 ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
bash 复制代码 
[root@ecs-ab49 ~]# rpm -qa|grep openssl
openssl-libs-1.0.2k-26.el7_9.x86_64
openssl-1.0.2k-26.el7_9.x86_64

没有openssl 服务可以安装openssl openssl-devel

bash 复制代码 
[root@ecs-ab49 ~]# yum install openssl-devel openssl

(2)zlib和zlib-devel服务依赖:

Zlib1.1.4或1.2.1.2或更高版本

bash 复制代码 
[root@ecs-ab49 ~]# rpm -q zlib  rpm -q zlib-devel
zlib-1.2.7-21.el7_9.x86_64
package  rpm is not installed
package zlib-devel is not installed

注:这里没有zlib-devel服务

bash 复制代码 
[root@ecs-ab49 ~]# yum install zlib-devel
Loaded plugins: fastestmirror
Determining fastest mirrors
base                                                                                                                                                                               | 3.6 kB  00:00:00     
epel                                                                                                                                                                               | 4.3 kB  00:00:00     
extras                                                                                                                                                                             | 2.9 kB  00:00:00     
updates                                                                                                                                                                            | 2.9 kB  00:00:00     
(1/7): epel/x86_64/group                                                                                                                                                           | 399 kB  00:00:00     
(2/7): epel/x86_64/updateinfo                                                                                                                                                      | 1.0 MB  00:00:00     
(3/7): base/7/x86_64/group_gz                                                                                                                                                      | 153 kB  00:00:00     
(4/7): base/7/x86_64/primary_db                                                                                                                                                    | 6.1 MB  00:00:00     
(5/7): epel/x86_64/primary_db                                                                                                                                                      | 8.7 MB  00:00:00     
(6/7): updates/7/x86_64/primary_db                                                                                                                                                 |  27 MB  00:00:00     
(7/7): extras/7/x86_64/primary_db                                                                                                                                                  | 253 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.x86_64 0:1.2.7-21.el7_9 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
 Package                                          Arch                                         Version                                                Repository                                     Size
==========================================================================================================================================================================================================
Installing:
 zlib-devel                                       x86_64                                       1.2.7-21.el7_9                                         updates                                        50 k

Transaction Summary
==========================================================================================================================================================================================================
Install  1 Package

Total download size: 50 k
Installed size: 132 k
Is this ok [y/d/N]: y
Downloading packages:
zlib-devel-1.2.7-21.el7_9.x86_64.rpm                                                                                                                                               |  50 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : zlib-devel-1.2.7-21.el7_9.x86_64                                                                                                                                                       1/1 
  Verifying  : zlib-devel-1.2.7-21.el7_9.x86_64                                                                                                                                                       1/1 

Installed:
  zlib-devel.x86_64 0:1.2.7-21.el7_9                                                                                                                                                                      

Complete!

再次检查zlib和zlib-devel依赖服务:

bash 复制代码 
[root@ecs-ab49 ~]# rpm -q zlib zlib-devel
zlib-1.2.7-21.el7_9.x86_64
zlib-devel-1.2.7-21.el7_9.x86_64

(3)GCC依赖:

查看gcc版本

bash 复制代码 
[root@ecs-ab49 ~]# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-linker-hash-style=gnu --enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin --enable-initfini-array --disable-libgcj --with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install --with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)

没有gcc 直接安装

bash 复制代码 
[root@ecs-ab49 ~]# yum install gcc

(4)安装pam-devel

bash 复制代码 
[root@ecs-ab49 ~]# yum install -y pam-devel

3、安装telnet和xinetd服务:

升级过程未防止升级失败,需要先开启telnet服务,防止升级失败连接不上远程主机。

(1) 安装telnet服务:

bash 复制代码 
[root@ecs-ab49 ~]# rpm -qa | grep telnet
bash 复制代码 
[root@ecs-ab49 ~]# yum list |grep telnet 
dcap-tunnel-telnet.x86_64                2.47.14-1.el7                 epel     
libguac-client-telnet.x86_64             1:1.5.5-1.el7                 epel     
libtelnet.x86_64                         0.23-1.el7                    epel     
libtelnet-devel.x86_64                   0.23-1.el7                    epel     
libtelnet-utils.x86_64                   0.23-1.el7                    epel     
telnet.x86_64                            1:0.17-66.el7                 updates  
telnet-server.x86_64                     1:0.17-66.el7                 updates
bash 复制代码 
[root@ecs-ab49 ~]# yum install telnet-server.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package telnet-server.x86_64 1:0.17-66.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
 Package                                             Arch                                         Version                                             Repository                                     Size
==========================================================================================================================================================================================================
Installing:
 telnet-server                                       x86_64                                       1:0.17-66.el7                                       updates                                        41 k

Transaction Summary
==========================================================================================================================================================================================================
Install  1 Package

Total download size: 41 k
Installed size: 55 k
Is this ok [y/d/N]: y
Downloading packages:
telnet-server-0.17-66.el7.x86_64.rpm                                                                                                                                               |  41 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 1:telnet-server-0.17-66.el7.x86_64                                                                                                                                                     1/1 
  Verifying  : 1:telnet-server-0.17-66.el7.x86_64                                                                                                                                                     1/1 

Installed:
  telnet-server.x86_64 1:0.17-66.el7                                                                                                                                                                      

Complete!

(2)安装xinetd服务:

bash 复制代码 
[root@ecs-ab49 ~]# rpm -qa | grep xinetd
bash 复制代码 
[root@ecs-ab49 ~]# yum list |grep xinetd
xinetd.x86_64                            2:2.3.15-14.el7               base
bash 复制代码 
[root@ecs-ab49 ~]# yum install xinetd.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package xinetd.x86_64 2:2.3.15-14.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
 Package                                        Arch                                           Version                                                 Repository                                    Size
==========================================================================================================================================================================================================
Installing:
 xinetd                                         x86_64                                         2:2.3.15-14.el7                                         base                                         128 k

Transaction Summary
==========================================================================================================================================================================================================
Install  1 Package

Total download size: 128 k
Installed size: 261 k
Is this ok [y/d/N]: y
Downloading packages:
xinetd-2.3.15-14.el7.x86_64.rpm                                                                                                                                                    | 128 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:xinetd-2.3.15-14.el7.x86_64                                                                                                                                                          1/1 
  Verifying  : 2:xinetd-2.3.15-14.el7.x86_64                                                                                                                                                          1/1 

Installed:
  xinetd.x86_64 2:2.3.15-14.el7                                                                                                                                                                           

Complete!

启动telnet服务和xinetd服务,并验证登入:

bash 复制代码 
[root@ecs-ab49 ~]# systemctl enable telnet.socket 
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@ecs-ab49 ~]# systemctl start telnet.socket 
[root@ecs-ab49 ~]# systemctl status telnet.socket 
● telnet.socket - Telnet Server Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/telnet.socket; enabled; vendor preset: disabled)
   Active: active (listening) since Thu 2025-03-27 11:33:22 CST; 8s ago
     Docs: man:telnetd(8)
   Listen: [::]:23 (Stream)
 Accepted: 0; Connected: 0

Mar 27 11:33:22 ecs-ab49 systemd[1]: Listening on Telnet Server Activation Socket.
bash 复制代码 
[root@ecs-ab49 ~]# systemctl enable xinetd 
[root@ecs-ab49 ~]# systemctl start xinetd
[root@ecs-ab49 ~]# systemctl status xinetd
● xinetd.service - Xinetd A Powerful Replacement For Inetd
   Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2025-03-27 11:33:45 CST; 4s ago
  Process: 10174 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 10175 (xinetd)
   CGroup: /system.slice/xinetd.service
           └─10175 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid

Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing tcpmux
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: Started working: 0 available services
Mar 27 11:33:45 ecs-ab49 systemd[1]: Started Xinetd A Powerful Replacement For Inetd.

登入验证:

4、升级openssh版本:

(1)对原来的openssh相关的文件进行备份

bash 复制代码 
[root@ecs-ab49 ~]# cp -r -a /etc/ssh/ /etc/ssh.bak
[root@ecs-ab49 ~]# cp -r -a /etc/pam.d/ /etc/pam.d.bak
[root@ecs-ab49 ~]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak

(2)下载openssh-8.0p1源码包:

bash 复制代码 
[root@ecs-ab49 ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
--2025-03-27 11:42:18--  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.91.52
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.91.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1597697 (1.5M) [application/octet-stream]
Saving to: 'openssh-8.0p1.tar.gz'

100%[================================================================================================================================================================>] 1,597,697   1.53MB/s   in 1.0s   

2025-03-27 11:42:22 (1.53 MB/s) - 'openssh-8.0p1.tar.gz' saved [1597697/1597697]

解压openssh-8.0p1包:

bash 复制代码 
[root@ecs-ab49 ~]# tar -zxvf  openssh-8.0p1.tar.gz

(3)卸载原系统的openssh包

rpm方式卸载命令

bash 复制代码 
[root@ecs-ab49 ~]# rpm -e --nodeps `rpm -qa | grep openssh`

yum方式卸载

bash 复制代码 
[root@ecs-ab49 ~]# yum remove openssh

(4)源码编译:

bash 复制代码 
[root@ecs-ab49 ~]# cd openssh-8.0p1
[root@ecs-ab49 openssh-8.0p1]# ./configure --prefix=/usr/local/openssh8p1 --sysconfdir=/etc/ssh --with-pam --with-zlib

结果:

(5)安装make 和make install :

bash 复制代码 
[root@ecs-ab49 openssh-8.0p1]# make &&sudo make install

(6)配置openssh文件

bash 复制代码 
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/etc/sshd_config /etc/ssh/sshd_config
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/sbin/sshd /usr/sbin/sshd
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh /usr/bin/ssh
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh-keygen /usr/bin/ssh-keygen
[root@ecs-ab49 openssh-8.0p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd

(7)文件授权

bash 复制代码 
[root@ecs-ab49 openssh-8.0p1]# chmod +x /etc/init.d/sshd

(8)配置文件更改(根据需要)

bash 复制代码 
[root@ecs-ab49 openssh-8.0p1]# vi /etc/ssh/sshd_config

添加以下内容:

bash 复制代码 
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

注释以下内容:

bash 复制代码 
# .#TCPKeepAlive yes

(9)设置开机启动

bash 复制代码 
[root@ecs-ab49 openssh-8.0p1]# systemctl enable sshd

(10)重启服务

bash 复制代码 
[root@ecs-ab49 openssh-8.0p1]# systemctl restart sshd

(11)验证ssh版本:

bash 复制代码 
[root@ecs-ab49 ssh]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

验证openssh漏洞是否修复了,结果是修复了的

5、卸载telnet服务和xinetd服务:

(1)查看相关的telnet和xinetd版本

bash 复制代码 
[root@ecs-ab49 ssh]# rpm -qa |grep telnet
bash 复制代码 
[root@ecs-ab49 ssh]# yum remove -y telnet-server-0.17-48.el6.x86_64

[root@ecs-ab49 ssh]# yum remove -y rpm  --e  telnet-server.x86_64

(2)将修改后的securetty的文件修改过来

bash 复制代码 
[root@ecs-ab49 ssh]# mv  /etc/securetty.bak  /etc/securetty

到此,centos 7.9 64bit的penssh漏洞就修复完成了。

相关推荐
Rudon滨海渔村10 分钟前
Linux通用一键换源脚本.sh - ubuntu、centos全自动更换国内源 - LinuxMirrors神器
linux·运维·ubuntu·centos·换源
S1lent9o6 小时前
CentOS stream 中部署Zabbix RPM软件包公钥验证错误
linux·centos·zabbix
chirrupy_hamal1 天前
VMware Workstation 保姆级 Linux(CentOS) 创建教程(附 iso)
linux·centos·虚拟机
YUELEI1181 天前
Centos9 离线安装 MYSQL8
mysql·centos
EchoZeal2 天前
CentOS 7系统yum报错解决方案(CentOS 7官方EOL问题修复)
linux·运维·centos
半兽先生4 天前
CentOS 中安装 vim
linux·centos·vim
程序员阿灿4 天前
CentOS服务器能ping通却无法yum install:指定镜像源解决
linux·服务器·centos
一个小白5554 天前
Linux,redis群集模式,主从复制,读写分离
linux·运维·数据库·centos
四岁爱上了她4 天前
CentOS更换yum源
linux·运维·centos
野生派蒙4 天前
Linux:显示 -bash-4.2$ 问题(CentOS 7)
linux·运维·服务器·centos·bash
热门推荐
01YOLOv8改进 | 细节创新篇 | iAFF迭代注意力特征融合助力多目标细节涨点02我决定放弃搞 Java 了03RAG 实践- Ollama+RagFlow 部署本地知识库04KGG转MP3工具|非KGM文件|解密音频05Scipy||第三章 线性代数 (scipy.linalg)06DeepSeek各版本说明与优缺点分析07工欲善其事,必先利其器: 用 Trae 搭建 TypeScript 的开发环境08本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程09汽车上的各种质量:整备质量、总质量、装载质量、簧上质量、簧下质量10YOLOv8改进 | 2023检测头篇 | 利用AFPN改进检测头适配YOLOv8版(全网独家创新)