Linux 系统安全之升级 OPENSSH

蜜糖 2022-09-27 09:51:18  50271

分类专栏：资讯

OpenSSH 是 SSH （Secure SHell）协议的免费开源实现。SSH协议族可以用来进行远程控制，或在计算机之间传送文件。而实现此功能的传统方式，如telnet(终端仿真协议)、 rcp ftp、 rlogin、rsh都是极为不安全的，并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具，用来加密远程控制和文件传输过程中的数据，并由此来代替原来的类似服务。

网络安全一刻也不能放松，为了系统安全尽量将 OPENSSH 升级到最新版本，目前最新版本为 8.2 P1，下面开始准备升级。

实验环境 CentOS 7.5
为了预防万一升级失败后，无法登陆远程主机的问题，需要先安装、启动Telnet 服务，确保可以远程登录。
安装、配置 Telnet 以及超级守护进程 xinetd 服务
编辑 telnet 主配置文件 /etc/xinetd.d/telnet
vim /etc/xinetd.d/telnet

service telnet
{
    disable = no
    flags       = REUSE
    socket_type = stream
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure += USERID
}
配置telnet登录的终端类型，在 /etc/securetty 文件末尾增加一些pts终端
vim /etc/securetty
pts/0 pts/1 pts/2 pts/3
启动telnet服务
systemctl start telnet.socket

查看服务状态
systemctl status telnet.socket

查看侦听端口
ss -atnl | grep 23

安装完成后，将xinetd服务加入开机自启动:
systemctl enable xinetd.service

将telnet服务加入开机自启动：
systemctl enable telnet.socket

使用 telnet 测试登录

接下来开始升级 OPENSSH
首先在官网上下载最新版本的源码包
OPENSSH 源码包下载地址：https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
OPENSSL 源码包下载地址：https://ftp.openssl.org/source/old/
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
wget https://ftp.openssl.org/source/old/1.1.1/openssl-1.1.1c.tar.gz
接下来安装 openssh 和 openssl 依赖包
yum -y install epel-release
yum -y install perl gcc gcc-c++ glibc make && yum -y group install 'Development Tools' && yum -y install pam-devel libselinux-devel zlib-devel openssl-devel && echo $?
备份原先的 openssl 文件
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old
mv /usr/lib64/libssl.so /usr/lib64/libssl.so.old
解压 openssl 包，编译安装（需要 root 用户）
tar xf openssl-1.1.1c.tar.gz
./config --prefix=/usr/local/openssl && make clean && make && make install && echo $?

编译、安装无误后，下面开始配置 OPENSSL
设置 openssl 命令的软链接
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
openssl version

开始安装 openssh 前，先备份原先的 openssh 文件
mv /etc/ssh/* /bak/sshbak
tar xf openssh-8.2p1.tar.gz
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl \
--with-md5-passwords --mandir=/usr/share/man \
--with-pam=enable && make clean && make && make install && echo $?
echo $? --> 0 确保编译安装无误后，复制启动脚本和PAM验证文件
cp /home/gf/openssh/openssh-8.2p1/contrib/redhat/sshd.init /etc/init.d/sshd
cp /home/gf/openssh/openssh-8.2p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
编辑 /etc/ssh/sshd.conf 配置文件
Port 22
PermitRootLogin no
PasswordAuthentication yes
UsePAM yes
UseDNS no
Subsystem sftp /usr/libexec/sftp-server
给运行脚本添加执行权限： chmod +x /etc/init.d/sshd
把原先的 systemd 管理的 sshd 启动脚本文件删除或者移走
mv /usr/lib/systemd/system/sshd.service /bak/sshbak && mv /usr/lib/systemd/system/sshd.socket /bak/sshbak && echo $?
重新加载服务配置文件后重启 sshd 服务
systemctl daemon-reload && sleep 1 &&systemctl restart sshd &&chkconfig sshd on && echo $?
重启确认无误后可以停掉 telnet 服务
systemctl disable telnet

使用 ssh 测试重新登录

更改默认端口和指定允许访问的网段
Port 22
Port 2222 更改端口，注意不要被占用起冲突
AddressFamily any
ListenAddress 0.0.0.0 默认允许所有主机链接
ListenAddress 192.168.2.2:2222 注意这里设定的是服务器本地的IPv4网络IP地址和端口
ListenAddress :: IPv6

制定脚本自动升级
opensshupdata/
opensshupdata/
├── openssh-8.3p1.tar.gz
├── openssh.sh
└── openssl-1.1.1j.tar.gz
opensshupdata/openssh.sh

!/bin/bash

************************************
author: GF
version: 1.0
date: 2021-05-23
description:
FileName： openssh.sh
************************************

if [[ `id -u` != "0" ]]; then
   echo "not root!"
   exit 1;
fi

if [[ -n `ping -c3 www.baidu.com` ]]; then
   yum -y install epel-release &> /dev/null
   sleep 1;yum -y install perl gcc gcc-c++ glibc make &> /dev/null
   sleep 1;yum -y group install 'Development Tools' &> /dev/null
   sleep 1;yum -y install pam-devel libselinux-devel zlib-devel openssl-devel &> /dev/null
   sleep 1;echo "Dependency installed successfully !"
   sleep 1
else
   echo "Network is unreachable !"
   exit 2;
fi

if [[ `echo $?` == "0" ]]; then
   echo "Dependency installed successfully !"
else
   echo "Dependency installed not successfully!"
   exit 3;
fi

if [[ -f ./openssl-1.1.1j.tar.gz ]]; then
tar xf ./openssl-1.1.1j.tar.gz &> /dev/null
   sleep 2;cd ./openssl-1.1.1j
   sleep 2;./config --prefix=/usr/local/openssl &> /dev/null && make clean &> /dev/null && make -j 4 &> /dev/null && make install &> /dev/null
fi

if [[ `echo $?` != "0" ]]; then
   echo "openssl 1.1.1j make install is faild !"
   exit 4;
else
   echo "openssl 1.1.1j make and make install is OK!"
   sleep 1
   sleep 1;mv -f /usr/bin/openssl /usr/bin/openssl.old &> /dev/null
   sleep 1;mv -f /usr/lib64/openssl /usr/lib64/openssl.old &> /dev/null
   sleep 1;mv -f /usr/lib64/libssl.so /usr/lib64/libssl.so.old &> /dev/null
   sleep 1; ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl &> /dev/null
   sleep 1; ln -s /usr/local/openssl/include/openssl /usr/include/openssl &> /dev/null
   sleep 1; ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so &> /dev/null
   echo "/usr/local/openssl/lib" > /etc/ld.so.conf.d/openssl.conf
   ldconfig -v &> /dev/null
fi

/usr/bin/openssl version | grep -o "OpenSSL 1.1.1j" &> /dev/null
if [[ `echo $?` != "0" ]]; then
echo "openssl 1.1.1j is not updata !"
   exit 5;
else
   echo "openssl 1.1.1j updata is ok!"
   cd ../
   rm -rf ./openssl-1.1.1j
fi

if [[ -f ./openssh-8.5p1.tar.gz ]]; then
   mkdir -p /bak/sshbak &> /dev/null
   mv -f /etc/ssh/* /bak/sshbak
   tar xf ./openssh-8.5p1.tar.gz &> /dev/null
   sleep 2;cd ./openssh-8.5p1
   sleep 2;./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-pam=enable &> /dev/null&& make clean &> /dev/null&& make -j 4 &> /dev/null && make install &> /dev/null
else
   echo "openssh-8.5p1.tar.gz not found !"
   exit 12;
fi

if [[ `echo $?` != "0" ]]; then
echo "openssh 8.5p1 not make install !"
   exit 6;
else
   echo "openssh 8.5p1 make install is ok!"
fi

if [[ -f ./contrib/redhat/sshd.init ]]; then
   install ./contrib/redhat/sshd.init /etc/init.d/sshd
   chmod +x /etc/init.d/sshd
else
   echo "sshd.init file not found!"
   exit 7;
fi

if [[ -f ./contrib/redhat/sshd.pam ]]; then
   install ./contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
else
   echo "sshd.pam file not found!"
   exit 11;
fi

if [[ `echo $?` != "0" ]]; then
echo "openssh not make install !"
   exit 8;
fi

if [[ -f /etc/ssh/sshd_config ]]; then
   sed -i "s/PermitRootLogin .*/PermitRootLogin yes/g" /etc/ssh/sshd_config
   sed -i "s/PermitRootLogin .*/PermitRootLogin yes/g" /etc/ssh/sshd_config
   sed -i "s/PasswordAuthentication .*/PasswordAuthentication yes/g" /etc/ssh/sshd_config
   sed -i "s/PasswordAuthentication .*/PasswordAuthentication yes/g" /etc/ssh/sshd_config
   sed -i "s/PermitEmptyPasswords .*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
   sed -i "s/PermitEmptyPasswords .*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
   sed -i "s/UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
   sed -i "s/UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
   sed -i "s/UseDNS no/UseDNS no/g" /etc/ssh/sshd_config
   sed -i "s/UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config
else
   echo "file /etc/ssh/sshd_config is not found !"
   exit 9:
fi

if [[ `echo $?` = "0" ]]; then
   mv -f /usr/lib/systemd/system/sshd.service /bak/sshbak &> /dev/null
   mv -f /usr/lib/systemd/system/sshd.socket /bak/sshbak &> /dev/null
   systemctl daemon-reload && sleep 1 &&systemctl restart sshd &&chkconfig sshd on
else
   echo "sshd service not start !"
   exit 10;
fi

if [[ `echo $?` == "0" ]]; then
   echo "sshd service is start!"
   cd ../
   rm -rf ./openssh-8.5p1
else
   echo "sshd service is not start !"
   exit 13;
fi
ss -a|grep ssh
ssh -V
openssl version
测试