SSL&SSH 版本漏洞升级

一、升级SSL

openssl 1.0.2n升级

yum install gcc pam-devel zlib-devel -y

cd openssl-1.0.2n

./config shared zlib-dynamic

echo $?

make && make install

echo $?

ls /usr/local/ssl/

echo "/usr/local/ssl/lib">>/etc/ld.so.conf

mv /usr/bin/openssl /usr/bin/openssl.bak

mv /usr/include/openssl /usr/include/openssl.bak

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

ldconfig -v

openssl version

二、升级SSH

cp -raf /usr/bin/ssh /usr/bin/ssh_bak

cp -raf /usr/sbin/sshd /usr/sbin/sshd_bak

cp -raf /etc/ssh /etc/ssh.bak

cp -raf /etc/init.d/sshd /etc/init.d/sshd.bak

cp -raf /root/.ssh/ /root/.ssh.bak

tar -xf /root/openssh-7.8p1.tar.gz

cd /root/openssh-7.8p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-privsep-path=/var/empty/sshd --with-ssl-dir=/usr/local/ssl/--with-pam--without-hardening

echo $?

make&&make install

echo $?

sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/g' /etc/ssh/sshd_config

sed -i 's/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/g' /etc/ssh/sshd_config

service sshd restart

ssh -V

报错

Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libcrypto.so.1.0.0: failed to map segment from shared object: Permission denied

检查selinx

setenforce 0        #清空规则

vim /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - SELinux is fully disabled.

SELINUX=enforcing        #修改成 disabled

# SELINUXTYPE= type of policy in use. Possible values are:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=targeted

报错

Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libcrypto.so.1.0.0: failed to map segment from shared object: Permission denied

检查selinx

setenforce 0        #清空规则

vim /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - SELinux is fully disabled.

SELINUX=enforcing        #修改成 disabled

# SELINUXTYPE= type of policy in use. Possible values are:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=targeted