• 描述
• 升级思路和注意事项
• 安装步骤

描述

此脚本主要针对SSH服务加密漏洞扫描，故升级为SSL协议版本为8.5

升级思路和注意事项

• 升级前，打开telnet远程登录服务，测试是否可以登录，确保可以root用户登录
• 升级SSL过程中，不要终端当前会话
• 确定好 OpenSSH与OpenSSL 版本与zlib版本的对应关系，以OpenSSH8.5p1版本为例，OpenSSL 版本为：openssl-1.0.2r，zlib版本为：zlib-1.2.11
• 升级完成后，重启sshd服务，关闭telnet远程登录

安装步骤

#! /bin/bash
# 更新包目录：/home/update
echo "开始挂载系统镜像"
mount /home/CentOS-7-x86_64-Everything-2009.iso /mnt
echo "挂载系统镜像结束"
yum makecache
echo "yum源更新完成"

echo "关闭selinux"
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
systemctl stop firewalld
echo "防火墙关闭完成"

echo "开始安装telnet服务"
yum -y install xinetd telnet-server
cp /etc/securetty /etc/securetty.bak
echo "pts/0" >> /etc/securetty
echo "pts/1" >> /etc/securetty
echo "pts/2" >> /etc/securetty
echo "pts/3" >> /etc/securetty
echo "pts/4" >> /etc/securetty
systemctl restart telnet.socket
systemctl restart xinetd
systemctl enable telnet.socket
systemctl enable xinetd
echo "安装telnet服务完成"
read -n1 -p "Press any key to continue..."

echo "安装依赖组件"
yum -y install gcc gcc-c++ make pam pam-devel openssl-devel pcre-devel perl zlib-devel
echo "安装依赖组件完成"
echo "开始卸载系统自带ssh组件"
systemctl stop sshd
cp -r /etc/ssh /etc/ssh.old
cp /etc/init.d/ssh /etc/init.d/ssh.old
rpm -qa | grep openssh
rpm -e `rpm -qa | grep openssh` --nodeps
#正常卸载自带ssh后，执行此条命令，没有结果返回
rpm -qa | grep openssh
echo "安装和配置zlib开始"
cd /home/update
tar -zxvf zlib-1.2.11.tar.gz 
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib 
make && make install
ls -l /usr/local/zlib
echo "/usr/local/zlib/lib" >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
echo "安装和配置zlib完成"
echo "安装和配置openssl开始"
cd ..
tar -zxvf openssl-1.0.2r.tar.gz
cd openssl-1.0.2r
./config shared zlib && make && make install
mv -f /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v
openssl version -a
echo "安装和配置openssl结束"
echo "安装和配置openssh8.5开始"
cd ..
rm -rf /etc/ssh
tar -zxvf openssh-8.5p1.tar.gz
cd openssh-8.5p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib --with-md5-passwords
make  && make install
echo "PasswordAuthentication yes"   >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
cd ..           //退出刚才解压后的openssh-8.5p1目录
cp -p openssh-8.5p1/contrib/redhat/sshd.init /etc/init.d/sshd     
chmod +x /etc/init.d/sshd      
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
chkconfig --add sshd
chkconfig sshd on
systemctl restart sshd
systemctl status sshd
ssh -V
echo "安装和配置openssh8.5结束"