根据等保测评结果,一般服务器都需要升级openssh版本和openssl版本,由于2个不同软件之间版本相互有关联,分开下载不知道下载哪个版本才合适,经过本人亲测,在一台服务器跑通后,直接同时4台服务器操作,3分钟内把另外4台服务器的所有关于openssh漏洞的问题都解决了。下面是相应的执行脚本,可以通告创建sh脚本,把下面内容复制存为sh脚本,实现一键升级。
#!/bin/bash
#install zlib start !!!!
homeway=$(pwd)
cd $homeway
tar -xf zlib-1.3.1.tar.gz
cd zlib-1.3.1
./configure --prefix=/usr/local/zlib.1.3.1
make && make test && make install
ll /usr/local/zlib.1.3.1/
ldconfig -V
sleep 2
#install openssl start !!!
cd $homeway
tar zxf openssl-3.2.0.tar.gz
cd openssl-3.2.0
./config --prefix=/usr/local/openssl-3.2.0 --openssldir=/usr/shared
make clean && make -j 4 && make install
#更新函数库
echo "/usr/local/openssl-3.2.0/lib" >> /etc/ld.so.conf
ldconfig
sleep 3
bak_data=$(date +"%Y%m%d")
mv /usr/bin/openssl /usr/bin/openssl_${bak_data}.bak
ln -s /usr/local/openssl-3.2.0/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl-3.2.0/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -s /usr/local/openssl-3.2.0/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
openssl version -a
sleep 3
#install opensssh start !!
mkdir ~/ssh_openssh_${bak_data}_bak
cp /etc/ssh/sshd_config ~/ssh_openssh_${bak_data}_bak
cp /etc/pam.d/sshd ~/ssh_openssh_${bak_data}_bak
rpm -e --nodeps `rpm -qa | grep openssh`
# 安装OpenSSH
cd $homeway
tar -xf openssh-9.7p1.tar.gz
cd openssh-9.7p1
./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl-3.2.0 --with-zlib=/usr/local/zlib.1.3.1
chmod 0600 /etc/ssh/ssh_host_rsa_key
chmod 0600 /etc/ssh/ssh_host_ecdsa_key
chmod 0600 /etc/ssh/ssh_host_ed25519_key
make -j 4 && make install
/usr/local/ssh/bin/ssh -V
# 复制新ssh文件
cp -rf contrib/redhat/sshd.init /etc/init.d/sshd
cp -rf contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
cp -rf sshd_config /etc/ssh/sshd_config
cp -rf /usr/local/ssh/sbin/sshd /usr/sbin/sshd
cp -rf /usr/local/ssh/bin/* /usr/bin/
# 开启sshd
cp -rf /usr/local/ssh/sbin/sshd /usr/sbin/sshd
cp -rf /usr/local/ssh/bin/ssh /usr/bin/ssh
cp -rf /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
cp {$bak_data}/openssh-9.6p1/contrib/ssh-copy-id /bin/
chmod 0755 /bin/ssh-copy-id
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
chkconfig --list | grep sshd
systemctl daemon-reload
chkconfig sshd on
# 允许root登录
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
sed -i "/Subsystem/s/^/# /" "/etc/ssh/sshd_config"
echo "Subsystem sftp /usr/local/ssh/libexec/sftp-server" >> /etc/ssh/sshd_config
# 添加加密算法
echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/ssh/sshd_config
echo "HostKeyAlgorithms +ssh-rsa" >> /etc/ssh/sshd_config
# 重启sshd服务
/etc/init.d/sshd restart
/etc/init.d/sshd status
# 查看升级后ssh版本
ssh -V
涉及的相关文件
由于文件下载地址:https://download.csdn.net/download/qq_41982913/89888397
