SSH漏洞修复

SSH漏洞修复

• OpenSSH 命令注入漏洞(CVE-2020-15778)
• OpenSSH 用户枚举漏洞(CVE-2018-15919)
• OpenSSH 安全漏洞(CVE-2017-15906)

方案：升级openssh

1、下载最新openssh和openssl

cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1t.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
或者
wget ftp://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz

2、安装依赖环境

yum -y install rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl prce pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel xmkmf libXt-devel initscripts libXt-devel imake gtk2-devel

3、升级openssl

mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
cd /usr/local/src/
tar -zxvf openssl-1.1.1t.tar.gz
cd openssl-1.1.1t
./config --prefix=/usr/local/openssl
make && make install 
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
openssl version

4、升级openssh

cd /usr/local/src/
tar zxvf openssh-9.3p1.tar.gz 
cd openssh-9.3p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening

make && make install

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd
chkconfig sshd on

mv /usr/lib/systemd/system/sshd.service  /home/

chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600  /etc/ssh/ssh_host_rsa_key

systemctl daemon-reload
/etc/init.d/sshd restart

5、验证

systemctl status sshd
netstat -anptl
ssh -V
openssl version