zoukankan      html  css  js  c++  java
  • Centos6.5升级OpenssH

    介绍

    漏扫发现OpenssH很多漏洞,升级OpenssH版本解决

    当前版本

    # ssh -V
    OpenSSH_7.0p1, OpenSSL 1.0.1e-fips 11 Feb 2013

    建议升级版本OpenssH7.9.p1

    注意:OpenSSH 7.9p1要求OpenSSL的版本> = 1.0.1 <1.1.0

    #配置YUM

    cd /mnt
    mkdir cdrom
    mount -o loop -t iso9660 /dev/cdrom /mnt/cdrom/
    cd /etc/yum.repos.d/
    mkdir bk
    mv *.repo bk
    vi centos6.repo
    [CentOS65]
    
    name=CentOS65
    
    baseurl=file:///mnt/cdrom
    
    enabled=1
    
    gpgcheck=0
    
    gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-CentOS-6

    yum list ##list显示出来 说明yum安装成功

    #安装telnet并配置服务

    cd /mnt/cdrom/Packages
    
    rpm -i telnet-0.17-47.el6_3.1.x86_64.rpm
    
    yum -y install telnet-server*
    
    #安装配置telnet,暂时允许root用户远程telnet,以防ssh升级后远程登录不了
    echo "Y"|/usr/bin/yum install telnet-server
    /bin/sed -i 's/= yes/= no/g' /etc/xinetd.d/telnet
    /etc/init.d/xinetd start
    /etc/init.d/xinetd restart
    mv
    /etc/securetty /etc/securetty.bak

    #安装依赖包(gcc、make、perl、zlib、zlib-devel、pam、pam-devel)

    find - /name zlib
    yum install -y gcc openssl-devel pam-devel rpm-build pam-devel tcp_wrappers-devel

    #关闭iptables防火墙和selinux

    /etc/init.d/iptables stop
    /bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
    /usr/sbin/setenforce 0

    #备份ssh原来配置
    cp -rf /etc/ssh /etc/ssh.bak

    #安装配置新版本openssh

    echo "Y"|/usr/bin/yum install -y gcc openssl-devel pam-devel rpm-build
    cd /usr/local/src
    /usr/bin/wget http://10.0.8.50/software/openssh-7.9p1.tar.gz
    /bin/tar -zvxf openssh-7.9p1.tar.gz
    cd /usr/local/src/openssh-7.9p1
    ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
    make && make install
    
    /bin/sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
    /bin/sed -i 's_#PermitRootLogin yes_PermitRootLogin yes_g' /etc/ssh/sshd_config
    
    sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
    sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
    sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
    
    service sshd start 
    service sshd restart

    #查询当前版本

    /usr/bin/ssh -V


    # 关闭telnet远程登录

    vi /etc/xinetd.d/telnet
    
    no改为yes
    

    # 关闭telnet远程登录
    NUM=$(/usr/sbin/lsof -i:23|wc -l)
    if [ $NUM -ne 0 ];then
    mv /etc/securetty.bak /etc/securetty
    fi

    /etc/init.d/xinetd stop

     #其他备注策略命令:

    允许root用户通过telnet登陆

    编辑/etc/pam.d/login,注释掉下面这行
    
    vi /etc/pam.d/login
    
    #auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
    /etc/init.d/xinetd restart

     配置/etc/securetty

    cp /etc/securetty /etc/securetty.bak
    
    echo "pts/1" >> /etc/securetty
    echo "pts/2" >> /etc/securetty
    echo "pts/3" >> /etc/securetty
    echo "pts/4" >> /etc/securetty
    echo "pts/5" >> /etc/securetty
    echo "pts/6" >> /etc/securetty
    echo "pts/7" >> /etc/securetty
    echo "pts/8" >> /etc/securetty
    echo "pts/9" >> /etc/securetty
    echo "pts/10" >> /etc/securetty
    echo "pts/11" >> /etc/securetty

     报错问题解决

    1、错误信息
    检查OpenSSL是否标头与库匹配…否配置:错误:您的OpenSSL标头与库不匹配。检查config.log以获取详细信息。
    
    原因:
    配置时需要注意-with-ssl-dir需要使用当前SSL的安装路径/ usr / local / ssl
    如果是32位的系统可能位置有所不同:/ usr / local / ssl / lib /
    解决办法:
    ./configure -prefix=/usr -sysconfdir=/etc/ssh -with-ssl-dir=/usr/local/ssl -with-zlib -with-pam -with-md5-passwords -with-kerberos5 --without-zlib-version-check
    
    2、错误信息
    无法开启 /var/lib/rpm 的套件资料库
    rpmdb: unable to join the environment
    解决方案:
    1.kill掉正在运行的rpm程序
    2.rm -f /var/lib/rpm/__db.*
    3.rpm --rebuilddb
    4.rpm时加上后缀--nodeps

    参考感谢:

    http://leung4080.github.io/linux/2013/08/07/OpenSSL-OpenSSH-%E5%8D%87%E7%BA%A7%E9%85%8D%E7%BD%AE/

    https://www.bbsmax.com/A/VGzlNOa85b/ 

    https://blog.csdn.net/qq_25934401/article/details/83419849?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase

  • 相关阅读:
    LeetCode 79. 单词搜索
    LeetCode 1143. 最长公共子序列
    LeetCode 55. 跳跃游戏
    LeetCode 48. 旋转图像
    LeetCode 93. 复原 IP 地址
    LeetCode 456. 132模式
    LeetCode 341. 扁平化嵌套列表迭代器
    LeetCode 73. 矩阵置零
    LeetCode 47. 全排列 II
    LeetCode 46. 全排列
  • 原文地址:https://www.cnblogs.com/dahaoran/p/12889474.html
Copyright © 2011-2022 走看看