本文共 2624 字,大约阅读时间需要 8 分钟。
openssh最近有一个漏洞,已升级到7.9版本,但centos的yum源只有7.4版本,必须手动升级。
安装过程参考后面脚本,需根据实际修改。步骤解释: 1)从官网获取升级文件 2)删除原来的openssh 及ssh服务。 注意:此时为了保证出错时还能连接服务器,先多开一个窗口备用。 注意2:如果不删除服务,原先的服务需要另外修改,此处使用删除在安装的方法,而且实现方法不同。 3)解压编译安装 注意:最好指定etc配置文件,安装目录可以不指定,默认是/usr/local/bin,此目录优先级一般高于/usr/sbin 如果找不到openssl的version,可以指定 --with-ssl-dir=/usr/local/lib64 要使ulimit对登录用户生效,加上 --with-pam ,前提安装pam-devel 3)修改sshd_config,指定ssh服务端口,和一些安全选项 3.5)在/etc/pam.d/加入sshd文件 auth include password-auth account include password-auth password include password-auth session include password-auth4)将sshd加入服务
5)重启 此时脚本执行完毕 6)验证是否可连接 7)其他服务器连接已升级服务器的需要重新删除./ssh/know_hosts文件相关记录[root@msg7 openssh]# more openssh.sh
#!/bin/sh#wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
cd ~/patch/openssh
tar -zxvf openssh-7.9p1.tar.gz cd openssh-7.9p1 ./configure --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/lib64 --with-pam makeyum erase openssh -y
mkdir -p ~/patch/bak systemctl disable sshd mv /usr/lib/systemd/system/sshd.service ~/patch/bak/sshd.service.`date "+%s"` mv /etc/ssh ~/patch/bak/ssh`date "+%s"`yum install pam-devel -y
make install#. /etc/profile
#localssh=`which ssh` #if [ "$localssh" != "/usr/local/bin/ssh" ];then # echo path is not right . see which ssh # exit 1 #fiif [ -f /etc/ssh/sshd_config ];then
echo sshd_config ok,go on. else exit ; fi;echo "Port 22" >> /etc/ssh/sshd_config
echo "Port 5922" >> /etc/ssh/sshd_config echo "Protocol 2" >> /etc/ssh/sshd_config echo "PermitRootLogin no" >> /etc/ssh/sshd_config echo "UsePAM yes" >> /etc/ssh/sshd_config chmod 640 /etc/ssh/sshd_configcp contrib/redhat/sshd.init /etc/init.d/sshd
sed -i 's/\/usr\//\/usr\/local\//g' /etc/init.d/sshd #cp contrib/redhat/sshd.pam /etc/pam.d/sshd echo "#%PAM-1.0" >> /etc/pam.d/sshd echo "auth include password-auth" >> /etc/pam.d/sshd echo "account include password-auth" >> /etc/pam.d/sshd echo "password include password-auth" >> /etc/pam.d/sshd echo "session include password-auth" >> /etc/pam.d/sshdif [ "$?" != "0" ];then exit ;fi;
chkconfig --add sshd
chkconfig sshd oncd ..
if [ "$?" == "0" ];then systemctl restart sshd if [ "$?" == "0" ];then sh ./hidever.sh echo ok else echo restart failed. fi else echo error fi ------------ hidever.sh 隐藏ssh版本 #!/bin/shver=`(sleep 1;echo quit;) | telnet localhost 22 2>/dev/null|(sleep 2;grep SSH)|awk -F '-' '{print $3}'`
newver=`echo $ver | sed 's/[0-9]/A/g'` echo oldversion=$ver,newversion=$newver if [ ! -f /usr/local/sbin/sshd.bak ];then cp /usr/local/sbin/sshd /usr/local/sbin/sshd.bak fi systemctl stop sshd sed -i 's/'${ver}'/'${newver}'/g' /usr/local/sbin/sshd systemctl restart sshd转载地址:http://thbws.baihongyu.com/