最新RedHatLinux主机升级openssh手记.docx

RedHat Linux主机升级openssh步骤对平台进行安全扫描时，下属4台redhat系统的主机报出：OpenSSH复制块远程拒绝服务漏洞（OpenSSH在处理ssh报文中多个完全一样的块时存在拒绝服务漏洞，如果启用了ssh协议1的话，则远程攻击者就可以通过发送特制的ssh报文耗尽CPU资源），需要对openssh进行升级。一、安装前的准备：由于redhat系统存在很多包依赖问题，无法通过rpm包直接升级，需要下载tar包进行手工编译安装。在编译安装tar包之前，需要确定当前系统是否安装了gcc编译工具，而这4台机器均未安装gcc包。可通过yum来进行gcc工具的安装。1.yum y install gcc /完成gcc安装2.因为升级openssh还需要zlib库和openssl的支持,所以还需要下载相关升级包 3.为保险起见,需要开启Telnet远程管理服务,避免SSH操作中途意外中断无法连接服务器。 3.1 修改/etc/xinetd.d/telnet文件：telnet文件内容如下：# default: off# description: The kerberized telnet server accepts normal telnet sessions, # but can also use Kerberos 5 authentication.service telnetflags = REUSEsocket_type = stream wait = nouser = rootserver = /usr/kerberos/sbin/telnetdlog_on_failure += USERID disable = no /将yes改为no，即启用telnet服务 3.2 设置root用户可以进行telnet连接修改/etc/securetty文件 文件末尾增加pts/0、pts/1.# vi /etc/securettyconsolevc/1vc/2vc/3vc/4vc/5vc/6vc/7vc/8vc/9vc/10vc/11tty1tty2tty3tty4tty5tty6tty7tty8tty9tty10tty11pts/0 pts/1pts/2pts/3 3.3 重启xinetd服务，启动Telnet：# /etc/init.d/xinetd restart rootweb2 # /etc/init.d/xinetd restart停止xinetd：确定启动xinetd：确定# netstat -tnlp | grep :23rootweb2 # netstat -tnlp | grep :23tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1433/xinetd通过telnet连接到主机,进行操作。 3.4 停止SSHD服务:#/sbin/service sshd stoprootweb2 # /sbin/service sshd stop停止sshd：确定cp /etc/init.d/sshd /root/ 备份复制启动脚本rootweb2 # cp /etc/init.d/sshd /root/ 二、 安装升级Openssh1.在安装之前需要卸载系统里原Openssh相关包：rpm -qa|grep openssh/查询系统原安装的openssh包,全部卸载。#rpm -e openssh -nodeps#rpm -e openssh-server -nodeps#rpm -e openssh-clients -nodeps#rpm -e openssh-askpass2.解压安装zlib包：#tar zxvf zlib-1.2.5.tar.bz2/首先安装zlib库，否则会报zlib.c错误无法进行#cd zlib-1.2.5#./configure#make#make install3.解压安装openssl包：#tar zxvf openssl-1.0.1.tar.gz#cd openssl-1.0.1#./config shared zlib#make #make test#make install#mv /usr/bin/openssl /usr/bin/openssl.OFF#mv /usr/include/openssl /usr/include/openssl.OFF#ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl#ln -s /usr/local/ssl/include/openssl /usr/include/openssl/移走原先系统自带的openssl，将自己编译产生的新文件进行链接。4.配置库文件搜索路径# echo /usr/local/ssl/lib /etc/ld.so.conf# /sbin/ldconfig -v# openssl version -aOpenSSL 1.0.1 14 Mar 2012built on: Fri Mar 16 17:14:50 CST 2012platform: linux-x86_64options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,-noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASMOPENSSLDIR: /usr/local/ssl5.解压安装openssh包:先将将/etc/ssh的文件夹备份:#mv /etc/ssh /etc/ssh_bak# tar zxvf openssh-5.9p1.tar.gz#./configure -prefix=/usr -sysconfdir=/etc/ssh -with-zlib -with-ssl-dir=/usr/local/ssl -with-md5-passwords -mandir=/usr/share/man#make#make install三、 启动并验证1 .调试启动，如果以下显示均正常，就可以正常启动sshd了# /usr/sbin/sshd -ddebug1: sshd version OpenSSH_5.9p1debug1: read PEM private key done: type RSAdebug1: private host key: #0 type 1 RSAdebug1: read PEM private key done: type DSAdebug1: private host key: #1 type 2 DSAdebug1: read PEM private key done: type ECDSAdebug1: private host key: #2 type 3 ECDSAdebug1: rexec_argv0=/usr/sbin/sshddebug1: rexec_argv1=-dSet /proc/self/oom_adj from 0 to -17debug1: Bind to port 22 on :.Bind to port 22 on : failed: Address already in use.debug1: Bind to port 22 on 0.0.0.0.Bind to port 22 on 0.0.0.0 failed: Address already in use.Cannot bind any address.2 .启动服务:2.1 生成ssh服务管理脚本,进入ssh解压目录:#cd contrib/redhat#cp sshd.init /etc/init.d/sshd#chmod +x /etc/init.d/sshd#chkconfig -add sshd2.2 启动ssh服务:#/usr/sbin/sshd或者#service sshd start最后，启动 SSH 服务使修改生效：# /etc/init.d/sshd restart 重启后确认一下当前的OpenSSH和OpenSSL是否正确：# ssh -V 如果看到了新的版本号就没问题.3.查看服务端口中是否有22 #netstat -tnlp | grep :22tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 21018/sshd以ssh方式重新连接系统。4.测试如果重启服务器sshd服务无法自启动，则需修改selinux配置文件。vi /etc/ selinux/config将SELINUX=enforcing 改为SELINUX=disabledThis file controls the state of SELinux on the system. SELINUX= can take one of these three values: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - No SELinux policy is loaded.SELINUX=disabled SELINUXTYPE= can take one of these two values: t