简述:最近2022年一季度收到网安漏洞扫描,基本上重复出现的漏洞都是openssh版本过低问题。就着手准备升级ssh,需要注意的是升级ssh或许会导致远程服务器失联,升级之前记得打开telnet连接方式。

一、环境准备

openSSH 8.8p1离线升级包

查看系统版本

[root@izpv301ot71ucbyplf9wz1z ~]# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
[root@izpv301ot71ucbyplf9wz1z ~]# cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

二、升级准备

  1. 创建路径 /root/OpenSSH 并授权,同时创建/root/OpenSSH/packages

  2. 服务器联网,如果不能联网手动下载安装包
    1) zlib-1.2.12.tar.gz
    2) openssl-1.1.1m.tar.gz
    3) openssh-8.8p1.tar.gz
    4) 依赖包需要:蓝奏云地址,也可以在下面的网站搜索下载RPM Search(有版本号比较好检索下载),将下载的rpm包拷贝到 /root/OpenSSH/packages 即可。
    软件包 gcc-4.8.5-44.el7.x86_64
    软件包 gcc-c++-4.8.5-44.el7.x86_64
    软件包 1:make-3.82-24.el7.x86_64
    软件包 pam-1.1.8-23.el7.x86_64
    软件包 pam-devel-1.1.8-23.el7.x86_64
    软件包 1:openssl-devel-1.0.2k-22.el7_9.x86_64
    软件包 pcre-devel-8.32-17.el7.x86_64
    软件包 4:perl-5.16.3-299.el7_9.x86_64
    软件包 zlib-devel-1.2.7-19.el7_9.x86_64

三、开始升级

将下面的脚本(UpdateOpenSSH.sh)上传至/root/OpenSSH目录,并给定执行权限chmod a+x UpdateOpenSSH.sh。执行./UpdateOpenSSH.sh,等待升级完毕。
UpdateOpenSSH.sh 蓝奏云地址

#!/bin/bash

clear
echo ------------------------------------------
echo        CentOS7 openssh升级到8.8p1
echo              (date +%F-%T)
echo         注意环境,使用前请做好测试!!!
echo ------------------------------------------
sleep 3s
clear
echo 安装进程开始  3
sleep 1s
clear
echo 安装进程开始  3  2
sleep 1s
clear
echo 安装进程开始  3  2  1
sleep 1s
clear
echo 刷新yum元数据缓存
sleep 2s

yum makecache
sleep 3s
clear
echo 检测安装telnet服务
sleep 1s
echo 尝试启动telnet服务
sleep 1s
cp /etc/securetty /etc/securetty.bak
grep  "pts/0"  /etc/securetty ||  echo 'pts/0' >> /etc/securetty
grep  "pts/1"  /etc/securetty ||  echo 'pts/1' >> /etc/securetty
systemctl restart telnet.socket &&  systemctl restart xinetd
ps -ef |grep xinetd | egrep -v grep > /dev/null
if [? -eq 0 ]
then
    echo 检测到telnet服务已启动……
    systemctl enable telnet.socket
    systemctl enable xinetd
        sleep 2s
else
    echo 未检测到telnet服务,开始安装服务……
    sleep 2s
    yum -y install xinetd telnet-server
    sleep 2s
    clear
    echo 安装telnet服务结束,启动服务……
    systemctl restart telnet.socket &&  systemctl restart xinetd
    systemctl enable telnet.socket
    systemctl enable xinetd
    sleep 1s
fi
clear
echo 关闭SElinux及防火墙并禁用……
sleep 2s
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
cat /etc/selinux/config
systemctl stop firewalld.service
systemctl disable firewalld.service
sleep 2s
clear
echo 安装程序依赖包……
sleep 2s
yum -y install gcc gcc-c++ make pam pam-devel openssl-devel pcre-devel perl zlib-devel
sleep 1s
clear
echo 停止并卸载原有ssh
sleep 3s
systemctl stop sshd
cp -r /etc/ssh /etc/ssh.old
cp -r /etc/init.d/ssh /etc/init.d/ssh.old
rpm -qa | grep openssh
sleep 1s
rpm -e rpm -qa | grep openssh --nodeps
rpm -qa | grep openssh
sleep 1s
clear

echo 判断是否需要安装wget
WGET=rpm -qa | grep wget
if [WGET -z ];then
    yum install -y wget
fi
echo 准备文件和参数
echo ################################################################
echo 服务器无法联网下载的可以将所需要的升级包放到/root/OpenSSH目录下
echo ################################################################
file=/root/OpenSSH
zlib=http://www.zlib.net/zlib-1.2.12.tar.gz
openssl=https://www.openssl.org/source/openssl-1.1.1m.tar.gz
openssh=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
echo 创建目录
mkdir -pfile/zlib
mkdir -p file/openssl
mkdir -pfile/openssh
echo 联网通过wget下载安装包
cd file
echo 开始下载zlib
#wgetzlib
echo 开始下载openssl
#wget --no-check-certificate openssl
echo 开始下载openssh
#wget --no-check-certificateopenssh
###安装相关依赖包###
yum install -y gcc make perl zlib zlib-devel pam pam-devel

echo 安装zlib
sleep 2s
tar -xzf zlib*.tar.gz -C file/zlib 
sleep 2s
cdfile/zlib/zlib*
./configure --prefix=/usr/local/zlib && make && make install
ls -l /usr/local/zlib
cd ..
sleep 1s
clear
echo 配置zlib
grep  "/usr/local/zlib/lib"  /etc/ld.so.conf.d/zlib.conf ||  echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
sleep 1s
clear
echo 安装openssl
sleep 5s
mv -f /usr/bin/openssl /usr/bin/openssl.old
mv -f /usr/include/openssl /usr/include/openssl.old
mv -f /usr/lib64/openssl /usr/lib64/openssl.old
rm -rf /usr/local/ssl
cd file
tar -xzf openssl*.tar.gz -Cfile/openssl
cd file/openssl/openssl*
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib && make && make install
cd ..
sleep 5s
clear
echo 配置openssl
sleep 5s
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
grep  "/usr/local/ssl/lib"  /etc/ld.so.conf.d/ssl.conf ||  echo '/usr/local/ssl/lib' >> /etc/ld.so.conf.d/ssl.conf
grep  "/usr/local/lib"  /etc/ld.so.conf.d/ssl.conf ||  echo '/usr/local/lib' >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v
openssl version -a
sleep 5s
clear
echo 安装openssh
sleep 5s
rm -rf /etc/ssh
cdfile
tar -xzf openssh*.tar.gz -C file/openssh
cdfile/openssh/openssh*
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib --with-md5-passwords
make
sleep 5s
sudo chmod 600 /etc/ssh/ssh_host_rsa_key
sudo chmod 600 /etc/ssh/ssh_host_ecdsa_key
sudo chmod 600 /etc/ssh/ssh_host_ed25519_key
make install
cd ..
pwd
sleep 5s
clear
echo 配置openssh
sleep 10s
echo "PasswordAuthentication yes"   >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo 'Banner /etc/issue' >> /etc/ssh/sshd_config
cp -p openssh-8.8p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
sudo chmod 600 /etc/ssh/ssh_host_rsa_key
sudo chmod 600 /etc/ssh/ssh_host_ecdsa_key
sudo chmod 600 /etc/ssh/ssh_host_ed25519_key
chkconfig --add sshd
chkconfig sshd on
systemctl restart sshd
sleep 10s
clear
systemctl status sshd
if [ $? -eq 0 ]
then
    clear
    echo SSH安装并运行成功,开始关闭并禁用telnet
    sleep 1s
    systemctl stop telnet.socket &&  systemctl stop xinetd
    systemctl disable telnet.socket &&  systemctl disable xinetd
    sleep 1s
    echo 升级完成,安装ssh2扩展支持
    sleep 5s
    yum install libssh2 -y
    clear
    echo 安装进程结束
    sleep 5s
else
    echo SSH未成功安装或配置,安装进程即将退出,请检查日志……
    sleep 5s
fi

查看升级情况ssh -V

[root@izpv301ot71ucbyplf9wz1z ~]# ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
[root@izpv301ot71ucbyplf9wz1z ~]#