因linux服务器(centos 7.5,7.6,7.9 )都扫描出ssh的低版本漏洞,需要升级。
升级思路:
1.多打开几个ssh窗口,以及打开telnet,避免ssh升级过程中断开无法连上远程。
2.升级OpenSSL为高版本OpenSSL 3.5.7
3.然后升级OpenSSH7.4到OpenSSH_9.8p1
bash
[root@ ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级前准备,多打开几个ssh窗口,以及打开telnet
网上查资料,打开telnet要有pts,但是CentOS7.6 /etc/securetty 无 pts
一、先给 securetty 添加 pts 虚拟终端(你当前文件缺少这部分)
- 一键追加 pts 行(直接复制执行)
bash
echo -e 'pts/0\npts/1\npts/2\npts/3\npts/4\npts/5\npts/6\npts/7\npts/8\npts/9' >> /etc/securetty
- 验证是否写入成功
bash
[root@ openssh-9.8p1]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
ttyS0
ttysclp0
sclp_line0
3270/tty1
hvc0
hvc1
hvc2
hvc3
hvc4
hvc5
hvc6
hvc7
hvsi0
hvsi1
hvsi2
xvc0
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
二、确认 telnet 服务配置(/etc/xinetd.d/telnet)
vi /etc/xinetd.d/telnet
bash
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
关键:disable = no 开启 telnet
三、防火墙放行 23 端口
bash
firewall-cmd --permanent --add-port=23/tcp
firewall-cmd --reload
# 查看端口
firewall-cmd --list-ports
四、关闭 SELinux(否则大概率登录失败)
bash
setenforce 0
如果要永久关闭,则用:
bash
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
五、重启 xinetd 服务生效
bash
systemctl restart xinetd
systemctl enable xinetd
systemctl status xinetd
六、测试登录
bash
# 本地自测
telnet 127.0.0.1
# 远程替换服务器IP
telnet 你的服务器IP
安全提醒
telnet 明文传输账号密码,仅内网临时应急使用,公网严禁开放,用完立即关闭:
后续的关闭方法:(当前打开的时候先跳过,后面升级完了)
bash
systemctl stop xinetd
systemctl disable xinetd
firewall-cmd --permanent --remove-port=23/tcp
firewall-cmd --reload
安装openssl-3.5.7
bash
# 安装编译依赖
yum groupinstall "Development Tools" -y
yum install zlib-devel perl-IPC-Cmd perl-Data-Dumper wget -y
yum install gcc gcc-c++ make zlib-devel pam-devel openssl-devel perl -y
yum install perl-Time-Piece perl-core gcc gcc-c++ make zlib-devel -y
# 下载解压3.5.7源码 也可以手动下载了上传上去,下载比较慢
cd /usr/local/src
wget https://www.openssl.org/source/openssl-3.5.7.tar.gz
tar -zxf openssl-3.5.7.tar.gz
cd openssl-3.5.7
# 独立目录编译(核心:不覆盖系统)
./config --prefix=/usr/local/openssl3.5.7 --openssldir=/usr/local/openssl3.5.7 shared zlib
make -j$(nproc)
make install
# 加载新版库(仅编译openssh时生效,不影响系统)
echo "/usr/local/openssl3.5.7/lib64" > /etc/ld.so.conf.d/openssl3.5.7.conf
ldconfig
# 验证新版
/usr/local/openssl3.5.7/bin/openssl version
# 系统原版不受影响
openssl version
安装OpenSSH 9.8p1
bash
#编译安装 OpenSSH 9.8p1,指定 OpenSSL 3.5.7
cd /usr/local/src
# 下载源码包
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
# 解压
tar -zxvf openssh-9.8p1.tar.gz
cd openssh-9.8p1
# configure 指定ssl路径、pam认证、系统ssh配置目录、指定 OpenSSL 3.5.7
./configure \
--prefix=/usr/local/openssh-9.8p1 \
--sysconfdir=/etc/ssh \
--with-pam \
--with-zlib \
--with-ssl-dir=/usr/local/openssl3.5.7
# 编译
make -j$(nproc)
# 安装
make install
# 会报错 执行如下
sed -i 's/^GSSAPIAuthentication/#GSSAPIAuthentication/' /etc/ssh/sshd_config
sed -i 's/^GSSAPICleanupCredentials/#GSSAPICleanupCredentials/' /etc/ssh/sshd_config
vi /etc/pam.d/sshd
#原有新增的:
auth [success=1 default=ignore] pam_succeed_if.so uid = 0 quiet
改为:
auth [success=done default=ignore] pam_succeed_if.so uid = 0 quiet
关闭telnet
bash
#1. 停止并禁用 telnet 依赖服务 xinetd
# 停止服务
systemctl stop xinetd
# 取消开机自启
systemctl disable xinetd
# 确认状态(显示inactive dead即关闭成功)
systemctl status xinetd
#2. 防火墙删除 23 端口放行规则
# 永久移除23端口
firewall-cmd --permanent --remove-port=23/tcp
# 重载防火墙生效
firewall-cmd --reload
# 校验端口列表,无23/tcp代表删除成功
firewall-cmd --list-ports
# 3. 恢复 /etc/securetty 原始安全配置(删除新增的 pts 行)
sed -i '/pts\//d' /etc/securetty
cat /etc/securetty
#输出不再有pts/0、pts/1...即可。