最近进行安全检查,发现内网网站服务器上漏洞扫描出来多个OpenSSH由于版本过低存在的漏洞:
OpenSSH 安全漏洞(CVE-2017-15906)
OpenSSH 安全漏洞(CVE-2018-15919)
OpenSSH 安全漏洞(CVE-2018-15473)本着更新包治百病的原则,更新一下到最新版本
[root@webserver ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@webserver ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@webserver ~]# cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)
由于之前都是通过ssh远程管理服务器的,更新OpenSSH期间可能会导致ssh无法连接,所以下面的更新操作都用telnet远程进行
//telnet-server依赖xinetd服务,所以两个都要装
[root@webserver ~]# yum install -y telnet-server xinetd
//设置服务开机自动启动
[root@webserver ~]# systemctl enable xinetd telnet.socket
[root@webserver ~]# systemctl start xinetd telnet.socket
//临时允许root用户通过telnet连接
[root@webserver ~]# cd /etc
[root@webserver etc]# mv securetty securetty.bak
分别下载OpenSSL最新版本openssl-1.1.1d.tar.gz(2019.9.10发布)和OpenSSH最新版本openssh-8.1p1.tar.gz(2019.10.9发布)源码并扔到服务器上
https://ftp.openssl.org/source/
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
//更新&安装后面升级需要用到的编译器等相关包
[root@webserver ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
//备份原有的openssh相关文件夹
[root@webserver ~]# mv /etc/ssh /etc/ssh_bak
[root@webserver ~]# mkdir /etc/ssh
//停止sshd服务
[root@webserver ~]# systemctl stop sshd
//解压编译安装
[root@webserver download]# tar -zxvf openssh-8.1p1.tar.gz
[root@webserver download]# cd openssh-8.1p1
[root@webserver openssh-8.1p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords && make && make install
//错误处理
上面最后一步make install如果出现下面错误:
strip:/usr/bin/st7UnhwT: 权限不够
/bin/install: 拆解过程非正常中止
make: *** [install-files] 错误 1
修改Makefile,将STRIP_OPT=-s这一行注释掉(开头加上#),然后再重新单独运行make install
OpenSSL没有更新,OpenSSH更新成功到8.1p1版本.
重新启动sshd服务,又遇到了新的问题
[root@webserver openssh-8.1p1]# systemctl start sshd
Job for sshd.service failed because a timeout was exceeded. See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@webserver openssh-8.1p1]# journalctl -xe
-- Unit sshd.service has begun starting up.
10月 13 20:09:09 webserver kernel: [resguard_linux INFO filter.c:1271]: filter_closesocket: type: 1, object: 0, port: 5888
10月 13 20:09:10 webserver sshd[27090]: Server listening on 0.0.0.0 port 22.
10月 13 20:09:10 webserver sshd[27090]: Server listening on :: port 22.
10月 13 20:10:39 webserver systemd[1]: sshd.service start operation timed out. Terminating.
10月 13 20:10:39 webserver kernel: [resguard_linux INFO filter.c:1271]: filter_closesocket: type: 1, object: 0, port: 5632
10月 13 20:10:39 webserver kernel: [resguard_linux INFO filter.c:1271]: filter_closesocket: type: 1, object: 0, port: 5632
10月 13 20:10:39 webserver sshd[27090]: Received signal 15; terminating.
10月 13 20:10:39 webserver systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has failed.
--
-- The result is failed.
重启治百病...
更新安装openssl成功了,但是再继续安装openssh的时候调用openssl失败一直搞不定,算球~回滚快照了,不更新openssl直接更新openssh吧.下面命令中可以忽略安装openssl的过程了,不过辛辛苦苦记录了这么多,不舍得删了~注意避坑
//更新&安装后面升级需要用到的编译器等相关包
[root@webserver ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
//-------安装openssl-------
//备份原有的openssl相关文件夹
[root@webserver ~]# mv /usr/bin/openssl /usr/bin/openssl_bak
[root@webserver ~]# mv /usr/include/openssl /usr/include/openssl_bak
//解包
[root@webserver download]# tar -zxvf openssh-8.1p1.tar.gz
[root@webserver download]# tar -zxvf openssl-1.1.1d.tar.gz
//编译&安装
[root@webserver download]# cd openssl-1.1.1d
[root@webserver openssl-1.1.1d]# ./config shared && make && make install
//编译安装需要时间略长,大概5分钟左右,完成后检查是否成功,输出0表示没错误
[root@webserver openssl-1.1.1d]# echo $?
0
//创建新的软连接
[root@webserver openssl-1.1.1d]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@webserver openssl-1.1.1d]# ln -s /usr/local/include/openssl /usr/include/openssl
//加载新配置
[root@webserver openssl-1.1.1d]# echo "/usr/local/lib64" >> /etc/ld.so.conf
[root@webserver openssl-1.1.1d]# /sbin/ldconfig
//检查新版本
[root@webserver openssl-1.1.1d]# openssl version
OpenSSL 1.1.1d 10 Sep 2019
//-------安装openssh-------
//备份原有的openssh相关文件夹
[root@webserver openssl-1.1.1d]# cd ../openssh-8.1p1
[root@webserver openssh-8.1p1]# mv /etc/ssh /etc/ssh_bak
[root@webserver openssh-8.1p1]# mkdir /etc/ssh
//编译&安装
[root@webserver openssh-8.1p1]# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install
//出现错误,应该是上面ldconfig中的配置有问题,折腾了半天,搞不定,放弃治疗
error: OpenSSL library not found.