主机安全加固--升级openssh及openssl

绿盟漏洞扫描结果:

OpenSSH是SSH协议的开源实现。

OpenSSH的默认服务器配置在管理连接槽的实现上存在拒绝服务漏洞,远程攻击者可利用此漏洞耗尽服务器上连接槽,触发拒绝服务。

解决办法:升级openssl 版本 :OpenSSL 1.0.1g 

OpenSSH版本: 6.6p1

升级操作步骤:

下载安装包

ftp://ftp.openssl.org/source/openssl-1.0.1.tar.gz

http://mirror.switch.ch/ftp/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz

http://sourceforge.net/projects/libpng/files/zlib/1.2.8/zlib-1.2.8.tar.xz/download?use_mirror=cznic&download=


一、查看版本命令:

openssl version -a
ssh -V

二、打开telnet功能

三、上传zlib及ssh安装包到root用户

1) 安装zlib包

tzr zxvf zlib-1.2.8.tar.gz

cd zlib-1.2.8
./configure --prefix=/usr/local/zlib
make
make install

2)升级openssh包

cd /etc

mv ssh ssh_bak

service sshd stop

tar zxvf openssh-6.6p1.tar.gz

cd openssh-6.6p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check
make

make install

vi /etc/ssh/sshd_config

service sshd restart

chkconfig sshd on

3)升级OPENSSL

上传安装包到/usr/local/src目录下

cd /usr/local/src
tar zxvf openssl-1.0.1.tar.gz

cd openssl-1.0.1

./config shared zlib
make
make test
make install
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

4)查看版本

openssl version -a

ssh -V


FAQ1:cp: cannot create regular file `/var/empty/sshd/etc': No such file or directory

解决办法:mkdir   /var/empty/sshd/etc

FAQ2:openssl 滴血漏洞版本

根据OpenSSL官方消息,该漏洞的编号为“CVE-2014-0160 ”。受影响的版本包括:OpenSSL1.0.1、1.0.2-beta、1.0.1f和1.0.2 beta 1等。其中,1.0.1和 1.0.1f可以通过升级到 OpenSSL 1.0.1g 版本修复; 1.0.2beta和1.0.2beta1的漏洞将在OpenSSL 1.0.2-beta2版本中修复。

FAQ3: Starting sshd:WARNING: initlog is deprecated and will be removed in a future release

解决办法:更换/etc/initd.d/sshd文件

[root@localhost init.d]# cat sshd
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid

runlevel=$(set -- $(runlevel); eval "echo \$$#" )

do_rsa1_keygen() {
        if [ ! -s $RSA1_KEY ]; then
                echo -n $"Generating SSH1 RSA host key: "
                rm -f $RSA1_KEY
                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA1_KEY
                        chmod 644 $RSA1_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $RSA1_KEY.pub
                        fi
                        success $"RSA1 key generation"
                        echo
                else
                        failure $"RSA1 key generation"
                        echo
                        exit 1
                fi
        fi
}

do_rsa_keygen() {
        if [ ! -s $RSA_KEY ]; then
                echo -n $"Generating SSH2 RSA host key: "
                rm -f $RSA_KEY
                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA_KEY
                        chmod 644 $RSA_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $RSA_KEY.pub
                        fi
                        success $"RSA key generation"
                        echo
                else
                        failure $"RSA key generation"
                        echo
                        exit 1
                fi
        fi
}

do_dsa_keygen() {
        if [ ! -s $DSA_KEY ]; then
                echo -n $"Generating SSH2 DSA host key: "
                rm -f $DSA_KEY
                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $DSA_KEY.pub
                        fi
                        success $"DSA key generation"
                        echo
                else
                        failure $"DSA key generation"
                        echo
                        exit 1
                fi
        fi
}

do_restart_sanity_check()
{
        $SSHD -t
        RETVAL=$?
        if [ ! "$RETVAL" = 0 ]; then
                failure $"Configuration file or keys are invalid"
                echo
        fi
}

start()
{
        # Create keys if necessary
        do_rsa1_keygen
        do_rsa_keygen
        do_dsa_keygen

        cp -af /etc/localtime /var/empty/sshd/etc

        echo -n $"Starting $prog: "
        $SSHD $OPTIONS && success || failure
        RETVAL=$?
        [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
        echo
}

stop()
{
        echo -n $"Stopping $prog: "
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD
        else
            failure $"Stopping $prog"
        fi
        RETVAL=$?
        # if we are in halt or reboot runlevel kill all running sessions
        # so the TCP connections are closed cleanly
        if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
            killall $prog 2>/dev/null
        fi
        [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
        echo
}

reload()
{
        echo -n $"Reloading $prog: "
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD -HUP
        else
            failure $"Reloading $prog"
        fi
        RETVAL=$?
        echo
}

case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart)
                stop
                start
                ;;
        reload)
                reload
                ;;
        condrestart)
                if [ -f /var/lock/subsys/sshd ] ; then
                        do_restart_sanity_check
                        if [ "$RETVAL" = 0 ] ; then
                                stop
                                # avoid race
                                sleep 3
                                start
                        fi
                fi
                ;;
        status)
                status -p $PID_FILE openssh-daemon
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
                RETVAL=1
esac
exit $RETVAL





你可能感兴趣的:(操作系统)