Centos7 手动升级OpenSSH版本解决CVE-2021-41617漏洞
Posted ning235
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Centos7 手动升级OpenSSH版本解决CVE-2021-41617漏洞相关的知识,希望对你有一定的参考价值。
CVE-2021-41617 OpenSSH 8.8 之前的版本都有漏洞选择升级版本来解决
#[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
#[root@localhost ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
#[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
#[root@localhost ~]#
#安装telnet-server以及xinetd 为防止升级过程中意外中断(备用方式)
yum install xinetd telnet-server -y
#配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下
cat >> /etc/securetty << eof
pts/0
pts/1
pts/2
pts/3
eof
systemctl enable xinetd
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
ss -lntp|grep 23
#开放端口
#iptables -L -nv
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
#service iptables reload && iptables -L -nv
#或
#firewall-cmd --zone=public --add-port=23/tcp --permanent
#firewall-cmd --reload
#firewall-cmd --zone=public --query-port=23/tcp
#firewall-cmd --zone=public --remove-port=80/tcp --permanent
#升级需要几个组件,有些是和编译相关的等
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
yum install -y pam* zlib*
#可以手动去官网下载
mkdir /usr/soft/ -p && cd /usr/soft/
wget https://mirror.leaseweb.com/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
tar xfz openssl-1.1.1m.tar.gz
#备份下面2个文件或目录(如果存在的话就执行)
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
#编译安装新版本的openssl
#配置、编译、安装3个命令一起执行
cd /usr/soft/openssl-1.1.1m/
./config --prefix=/usr/local/openssl shared && make -j2 && make install
echo $?
#下面文件或者目录做软链接 (刚才前面的步骤mv备份过原来的)
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
#目录软链接
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ll /usr/bin/openssl
lrwxrwxrwx 1 root root 26 Aug 9 14:52 /usr/bin/openssl -> /usr/local/ssl/bin/openssl
ll /usr/include/openssl -ld
lrwxrwxrwx 1 root root 30 Aug 9 14:52 /usr/include/openssl -> /usr/local/ssl/include/openssl
#命令行执行下面2个命令加载新配置
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
/sbin/ldconfig
#查看确认版本。没问题
[root@testssh ~]# openssl version
OpenSSL 1.1.1m 14 Dec 2021
cd /usr/soft/
tar xfz openssh-8.8p1.tar.gz
cd openssh-8.8p1
chown -R root.root /usr/soft/openssh-8.8p1
#命令行删除原先ssh的配置文件和目录、然后配置、编译、安装
#rm -rf /etc/ssh/*
mv /etc/ssh/ /etc/sshbak/
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam && make -j2&& make install
grep "^PermitRootLogin" /etc/ssh/sshd_config
grep "UseDNS" /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
mv /etc/init.d/sshd /etc/pam.d/sshd.pam /tmp/
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd
#把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务
mv /usr/lib/systemd/system/sshd.service /root/
chkconfig sshd on
/etc/init.d/sshd restart
ss -lntp
ssh -V
#重启服务器
#关闭telent和端口23
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
ss -lntp
#vi /etc/sysconfig/iptables
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
#service iptables reload && iptables -L -nv
以上是关于Centos7 手动升级OpenSSH版本解决CVE-2021-41617漏洞的主要内容,如果未能解决你的问题,请参考以下文章
CentOS7 升级 openssh 到 openssh-8.0p1版本
CentOS7 升级 openssh 到 openssh-8.0p1版本
centos7 升级openssh到openssh-8.0p1版本