OpenSSH主机安全漏洞解决方案

问题描述：OpenSSH 用户枚举漏洞(CVE-2018-15473)【原理扫描】

                  OpenSSH do_setup_env函数权限提升漏洞(CVE-2015-8325)

                 OpenSSH auth_password函数拒绝服务漏洞(CVE-2016-6515)

                  OpenSSH多个拒绝服务漏洞（CVE-2016-10708）

                  OpenSSH 安全限制绕过漏洞(CVE-2016-10012)

                  OpenSSH 远程代码执行漏洞(CVE-2016-10009)

                  OpenSSH 安全漏洞(CVE-2016-1908)

解决方案：OpenSSH升级版本到最新(8.7)版本

具体操作：
1、依赖软件包：

yum install wget gcc -y

yum install -y zlib-devel openssl-devel

yum install pam-devel libselinux-devel zlib-devel openssl-devel -y

2、下载安装包OpenSSH8.7上传至服务器或wget直接下载

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz

3、删除低版本OpenSSH的的rpm包

rpm -e --nodeps `rpm -qa | grep openssh`

4、安装openssh

解压

tar -zxvf openssh-8.7p1.tar.gz

cd  openssh-8.7p1

 ./configure   --prefix=/usr   --sysconfdir=/etc/ssh    --with-md5-passwords   --with-pam --with-zlib   --with-tcp-wrappers    --with-ssl-dir=/usr/local/ssl   --without-hardening

编译安装

Make

make install

赋权

chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key

复制配置文件并设置允许root用户远程登录

cp -a contrib/redhat/sshd.init  /etc/init.d/sshd

cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

chmod u+x /etc/init.d/sshd

vim /etc/ssh/sshd_config

1.修改#PermitRootLogin prohibit-password项，去掉注释#并把prohibit-password改为yes，修改后即为PermitRootLogin yes

2.去掉注释#PasswordAuthentication yes变为PasswordAuthentication yes

添加添加自启服务ssh到开机启动项

chkconfig --add sshdchkconfig sshd on

重启服务

systemctl restart sshd

查看下安装结果：

ssh -V

注意：高版本升级会导致xshell或者xftp登陆报错

第一步检查/etc/ssh/sshd_config文件中配置

PermitRootLogin yes

PubkeyAuthentication yes

PasswordAuthentication yes

第二步检查是否开启防火墙

setenforce 0

第三步检查/etc/pam.d/sshd文件是否存在

/etc/pam.d/sshd文件必须存在，不存在就无法通过验证

centos7下的/etc/pam.d/sshd文件内容：

#%PAM-1.0

auth       required     pam_sepermit.so

auth       substack     password-auth

auth       include      postlogin

# Used with polkit to reauthorize users in remote sessions

-auth      optional     pam_reauthorize.so prepare

account    required     pam_nologin.so

account    include      password-auth

password   include      password-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open env_params

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      password-auth

session    include      postlogin

# Used with polkit to reauthorize users in remote sessions

-session   optional     pam_reauthorize.so prepare

（再重启sshd服务systemctl restart sshd）