Centos7 手动升级OpenSSH版本解决CVE-2021-41617漏洞

Posted 2022-01-06 ning235

CVE-2021-41617 OpenSSH 8.8 之前的版本都有漏洞选择升级版本来解决


#[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
#[root@localhost ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
#[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
#[root@localhost ~]#

#安装telnet-server以及xinetd 为防止升级过程中意外中断（备用方式）
yum install xinetd telnet-server -y
#配置telnet登录的终端类型，在/etc/securetty文件末尾增加一些pts终端，如下
cat >> /etc/securetty << eof
pts/0
pts/1
pts/2
pts/3
eof

systemctl enable xinetd
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
ss -lntp|grep 23
#开放端口
#iptables -L -nv
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
#service iptables reload && iptables -L -nv
#或
#firewall-cmd --zone=public --add-port=23/tcp --permanent
#firewall-cmd --reload
#firewall-cmd --zone=public --query-port=23/tcp
#firewall-cmd --zone=public --remove-port=80/tcp --permanent

#升级需要几个组件，有些是和编译相关的等
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel
yum install -y pam* zlib*
#可以手动去官网下载
mkdir /usr/soft/ -p && cd /usr/soft/
wget https://mirror.leaseweb.com/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
tar xfz openssl-1.1.1m.tar.gz
#备份下面2个文件或目录（如果存在的话就执行）
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak

#编译安装新版本的openssl
#配置、编译、安装3个命令一起执行
cd /usr/soft/openssl-1.1.1m/
./config --prefix=/usr/local/openssl shared && make -j2 && make install
echo $?

#下面文件或者目录做软链接 （刚才前面的步骤mv备份过原来的）
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
#目录软链接
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1  /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1  /usr/lib64/libcrypto.so.1.1

ll /usr/bin/openssl
lrwxrwxrwx 1 root root 26 Aug  9 14:52 /usr/bin/openssl -> /usr/local/ssl/bin/openssl
ll /usr/include/openssl -ld
lrwxrwxrwx 1 root root 30 Aug  9 14:52 /usr/include/openssl -> /usr/local/ssl/include/openssl

#命令行执行下面2个命令加载新配置
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
/sbin/ldconfig
#查看确认版本。没问题
[root@testssh ~]# openssl version
OpenSSL 1.1.1m  14 Dec 2021

cd /usr/soft/
tar xfz openssh-8.8p1.tar.gz
cd openssh-8.8p1
chown -R root.root /usr/soft/openssh-8.8p1

#命令行删除原先ssh的配置文件和目录、然后配置、编译、安装
#rm -rf /etc/ssh/*
mv /etc/ssh/ /etc/sshbak/
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam && make -j2&& make install
grep "^PermitRootLogin"  /etc/ssh/sshd_config
grep  "UseDNS"  /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
mv /etc/init.d/sshd  /etc/pam.d/sshd.pam /tmp/
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd
#把原先的systemd管理的sshd文件删除或者移走或者删除，不移走的话影响我们重启sshd服务
mv  /usr/lib/systemd/system/sshd.service  /root/
chkconfig sshd on
/etc/init.d/sshd restart
ss -lntp
ssh -V

#重启服务器
#关闭telent和端口23
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
ss -lntp

#vi /etc/sysconfig/iptables
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
#service iptables reload && iptables -L -nv