🔥码云GVP开源项目 12k star Uniapp+ElementUI 功能强大 支持多语言、二开方便! 广告
## **CentOS 7.6升级OpenSSH修复CVE-2023-38408漏洞** ### **步骤 1:配置Telnet服务,防止升级失败进不去系统** (1)关闭firewalld和SELinux ``` setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config cat /etc/selinux/config systemctl stop firewalld.service systemctl disable firewalld.service # 恢复 SELinux sed -i "s/SELINUX=disabled/SELINUX=enforcing/g" /etc/selinux/config setenforce 1 systemctl enable firewalld systemctl start firewalld ``` (2)安装Telnet服务端: ``` yum -y install xinetd telnet-server ``` (3)允许root用户登录: ``` echo -e "pts/0\npts/1\npts/2\npts/3\npts/4\npts/5" >> /etc/securetty tail -6 /etc/securetty ``` (4)修改Telnet默认TCP/23端口: ``` grep -w "^telnet" /etc/services sed -i "s#23/tcp#23023/tcp#" /etc/services sed -i "s#23/udp#23023/udp#" /etc/services grep -w "^telnet" /etc/services #结果 #telnet 23023/tcp #telnet 23023/udp grep -w "^ListenStream" /usr/lib/systemd/system/telnet.socket sed -i "s/ListenStream=23/ListenStream=23023/" /usr/lib/systemd/system/telnet.socket grep -w "^ListenStream" /usr/lib/systemd/system/telnet.socket #结果 #ListenStream=23023 ``` (5)启动服务: ``` systemctl start xinetd systemctl enable xinetd systemctl start telnet.socket systemctl enable telnet.socket ss -tunlp | grep 23023 ``` (6)测试: 如果还没安装telnet客户端的 ``` yum -y install telnet -y ``` 连接,输入账号密码登陆成功 ``` telnet 127.0.0.1 23023 ``` ### **步骤 2:升级OpenSSH** (1)备份数据: ``` cd /etc/ssh cp sshd_config{,.bak} cd /etc/pam.d cp sshd{,.bak} #避免后续编译安装出现没权限 chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key ``` (2)安装依赖软件包: ``` yum -y install gcc gcc-c++ zlib-devel openssl-devel pam-devel ``` (3)卸载旧版本,编译安装新版本OpenSSH: ``` rpm -qa | grep openssh rpm -e --nodeps `rpm -qa | grep openssh` ``` (4)下载、编译、安装: 直接阿里云下载源 https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/ ``` wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz tar -xf openssh-9.5p1.tar.gz -C /usr/src cd /usr/src/openssh-9.5p1 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-pam --with-ssl-dir=/usr/local/ssl echo $? make -j $(awk '/processor/{i++}END{print i}' /proc/cpuinfo) echo $? make install echo $? ``` (5)复制配置文件并授权: ``` cp -a contrib/redhat/sshd.init /etc/init.d/sshd chmod u+x /etc/init.d/sshd ``` (6)复制配置文件并授权: ``` cd /etc/ssh mv -f sshd_config.bak sshd_config cd /etc/pam.d mv -f sshd.bak sshd ``` (7)允许root用户远程登录: ``` sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config ``` (8)设置开机自启: ``` chkconfig --add sshd chkconfig sshd on chkconfig --list ``` (9)重启SSH: ``` systemctl restart sshd ``` (10)版本验证: ``` [root@VM-12-6-centos ~]# ssh -V OpenSSH_9.5p1, OpenSSL 3.1.3 19 Sep 2023 ```