CentOS7更新OpenSSH8

今天使用漏洞扫描工具扫描了一下系统漏洞，发现有一个openssh版本的漏洞。所以本着安全的原则修复一下。

第一时间打开百度搜索相关内容，大多数是编译安装的。每个人的环境和版本也不一样。有一定连不上去的风险。

打算自己根据自己系统把tar包编译成rpm包安装一下。顺便记录一下过程

@font-face { font-family: "Times New Roman" }
@font-face { font-family: "宋体" }
@font-face { font-family: "Wingdings" }
@font-face { font-family: "Calibri" }
@font-face { font-family: "微软雅黑" }
@list l0:level1{
mso-level-number-format:decimal;
mso-level-suffix:tab;
mso-level-text:"%1.";
mso-level-tab-stop:15.6000pt;
mso-level-number-position:left;
margin-left:0.0000pt;
text-indent:0.0000pt;
font-family:'Times New Roman';}
@list l1:level1{
mso-level-number-format:decimal;
mso-level-suffix:space;
mso-level-text:"%1.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0.0000pt;
text-indent:0.0000pt;
font-family:'Times New Roman';}
p.MsoNormal { mso-style-name: 正文; mso-style-parent: ""; margin: 0 0 0.0001pt; mso-pagination: none; text-align: justify; text-justify: inter-ideograph; font-family: Calibri; mso-fareast-font-family: 宋体; mso-bidi-font-family: 'Times New Roman'; font-size: 10.5pt; mso-font-kerning: 1.0000pt }
span.10 { font-family: "Times New Roman" }
span.15 { font-family: "Times New Roman"; color: rgba(0, 0, 255, 1); text-decoration: underline; text-underline: single }
p.p { mso-style-name: "普通\(网站\)"; margin: 5pt 0; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto; mso-pagination: none; text-align: left; font-family: Calibri; mso-fareast-font-family: 宋体; mso-bidi-font-family: 'Times New Roman'; font-size: 12pt }
span.msoIns { mso-style-type: export-only; mso-style-name: ""; text-decoration: underline; text-underline: single; color: rgba(0, 0, 255, 1) }
span.msoDel { mso-style-type: export-only; mso-style-name: ""; text-decoration: line-through; color: rgba(255, 0, 0, 1) }
table.MsoNormalTable { mso-style-name: 普通表格; mso-style-parent: ""; mso-style-noshow: yes; mso-tstyle-rowband-size: 0; mso-tstyle-colband-size: 0; mso-padding-alt: 0.0000pt 5.4000pt 0.0000pt 5.4000pt; mso-para-margin: 0pt; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-family: "Times New Roman"; font-size: 10pt; mso-ansi-language: #0400; mso-fareast-language: #0400; mso-bidi-language: #0400 }
table.MsoTableGrid { mso-style-name: 网格型; mso-tstyle-rowband-size: 0; mso-tstyle-colband-size: 0; mso-padding-alt: 0.0000pt 5.4000pt 0.0000pt 5.4000pt; mso-border-top-alt: 0.5000pt solid windowtext; mso-border-left-alt: 0.5000pt solid windowtext; mso-border-bottom-alt: 0.5000pt solid windowtext; mso-border-right-alt: 0.5000pt solid windowtext; mso-border-insideh: 0.5000pt solid windowtext; mso-border-insidev: 0.5000pt solid windowtext; mso-para-margin: 0pt; mso-para-margin-bottom: .0001pt; mso-pagination: none; text-align: justify; text-justify: inter-ideograph; font-family: "Times New Roman"; font-size: 10pt; mso-ansi-language: #0400; mso-fareast-language: #0400; mso-bidi-language: #0400 }
@page { mso-page-border-surround-header: no mso-page-border-surround-footer: no }
@page Section0 { margin-top: 72pt margin-bottom: 72pt margin-left: 90pt margin-right: 90pt size: 595.3000pt 841.9000pt layout-grid: 15.6000pt }
div.Section0 { page: Section0 }

信息系统安全加固记录表

IP地址	联通云所有服务器	操作系统	CentOS Linux release 7.6.1810
主机数量	50台	操作人	郭亚彬
漏洞信息
漏洞编号	漏洞名称	风险等级
CVECVE-2018-15473	ssh用户枚举漏洞	高
安全加固计划
加固日期	2021-12-01	预计中断时间	5分钟
风险评估
OpenSSH缺少安全更新。详情请参阅https://lists.debian.org/debian-lts-announce/2018/08/msg00022.html https://packages.debian.org/source/jessie/openssh描述发现OpenSSH中存在用户枚举漏洞。远程攻击者可以测试目标服务器上是否存在某个用户。
实施方案
1. 查看系统openssh包rpm -qa|grep openssh 2. 查看版本ssh -V  gcc -v  openssl version 3. 使用脚本一键编译安装包并升级openssh版本 rpmbuild_openssh.sh 8.8 4. 验证版本ssh -V
回退方案
1. 在远程控制台执行删除openssh新版本yum remove openssh* -y 2. 在远程控制台执行安装openssh老版本yum install openssh openssh-server openssh-clients -y 3. 启动openssh  systemctl start sshd.services
加固结果
加固成功，版本已升级到最新版8.8p1 验证相关软件包rpm -qa |grep openssh openssh-clients-8.8p1-1.el7.x86_64 openssh-8.8p1-1.el7.x86_64 openssh-debuginfo-8.8p1-1.el7.x86_64 openssh-server-8.8p1-1.el7.x86_64 验证相关ssh版本ssh -V0 OpenSSH_8.8p1, OpenSSL 1.0.2k-fips  26 Jan 2017

下面是rpmbuild_openssh.sh内容

#!/usr/bin/env bash
# @Date   :2021/12/1 15:13
# @Author :GuoYaBin
# @Email  :458606473@qq.com
# @File   :rpmbuild_openssh.sh
# @Desc   :制作openssh rpm软件包，通过tar包build

openssh_version=$1
#判断是否传入正确的软件包
if [ "${openssh_version}" ] ;then
    echo -e "\033[41;37m当前build的openssh版本为: ${openssh_version}\033[0m"
else
    echo "常用版本有：8.0 8.4 8.8"
    echo
    echo -e "   请输入需要build的openssh版本号  示例: \033[36;1m$0 8.4\033[0m"
    exit 1
fi

# 安装依赖
function install_dependency() {
    yum install -y wget rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel openssl-libs >> /dev/null && sleep 3
}

# 下载软件包
function download_package() {
    mkdir -p /root/rpmbuild/{SOURCES,SPECS}
    cd /root/rpmbuild/SOURCES
    echo -e "\033[34;1m开始下载软件包：openssh-${openssh_version}p1.tar.gz  \033[0m"
    wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${openssh_version}p1.tar.gz >> /dev/null && echo "openssh-${version}p1.tar.gz下载成功..."
    if [ $? -ne 0 ]; then
        echo -e "\033[34;1m openssh-${openssh_version}p1.tar.gz下载失败...请检查网络环境或版本是否存在 \033[0m"
         exit 2
    else
        echo -e "\033[34;1m开始下载软件包：x11-ssh-askpass-1.2.4.1.tar.gz \033[0m"
        wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz >> /dev/null && echo "x11-ssh-askpass-1.2.4.1.tar.gz下载成功..." && sleep 3
        if [ $? -ne 0 ]; then
            echo -e "\033[34;1m x11-ssh-askpass-1.2.4.1.tar.gz下载失败...请检查网络环境是否正常 \033[0m"
            exit 2
        else
            tar -xf openssh-${openssh_version}p1.tar.gz && tar -xf x11-ssh-askpass-1.2.4.1.tar.gz
        fi
    fi
}

# 修改配置文件和build
function config_and_build() {
    cp openssh-${openssh_version}p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
    sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
    sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
    sed -i 's/BuildRequires: openssl-devel < 1.1/#&/' /root/rpmbuild/SPECS/openssh.spec
    cd /root/rpmbuild/SPECS
    echo -e "\033[34;1m开始制作 openssh${openssh_version} 相关rpm软件包  \033[0m"
    rpmbuild -ba openssh.spec
    if [ $? -eq 0 ]; then
        echo -e "\033[34;1mopenssh${openssh_version} 相关rpm软件包制作成功，生成的软件包信息如下：  \033[0m"
        echo -e "\033[33;1m软件包存放路径：/root/rpmbuild/RPMS/x86_64/ \033[0m" && ls /root/rpmbuild/RPMS/x86_64/
    else
        echo -e "\033[33;1mopenssh${openssh_version} 相关rpm软件包制作失败，请根据报错信息进行解决，再重新进行编译 \033[0m"
    fi
}

# 安装rpm包
function toyum(){
    cd /root/rpmbuild/RPMS/x86_64 && yum update ./openssh* -y
    if [ $? -ne 0 ]; then
        echo -e "\033[34;1m yum openssh失败,请检查文件是否存在\033[0m"
        exit 2
    fi
}

# 允许root登录
function allowroot(){
    sed -i '/.*PermitRootLogin.*/d' /etc/ssh/sshd_config && sed -i '32i PermitRootLogin yes' /etc/ssh/sshd_config
    if [ $? -ne 0 ]; then
        echo -e "\033[34;1m 修改PermitRootLogin失败请手动检查文件 \033[0m"
        exit 2
    else
        systemctl restart sshd && ssh -V
    fi
}

function main() {
    install_dependency
    download_package
    config_and_build
    toyum
    allowroot
}
main