centOS 7.9 65bit 修复Openssh漏洞

devtools/2025/4/1 3:19:19/

一、背景:

在使用centos 7.9 64bit版本操作系统时有扫描出如下的漏洞:

二、修复openssh漏洞操作 

升级注意事项 (一下所有的操作默认都是root或者管理员权限,如果遇到权限问题每个指令以及指令组合都要在前面加sudo)

1、查看CentOS操作系统信息:

(1)cat /etc/issue 查看版本    

[root@ecs-ab49 ~]# cat /etc/issue
\S
Kernel \r on an \m

(2)cat /etc/redhat-release 查看版本(推荐) 

[root@ecs-ab49 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

 (3)cat /proc/version  查看内核

[root@ecs-ab49 ~]# cat /proc/version
Linux version 3.10.0-1160.119.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Tue Jun 4 14:43:51 UTC 2024

2、环境依赖准备:

(1)OpenSSL版本:目前OpenSSH8.0不支持OpenSSH1.1.x以上。否则编译的时候会报错。

[root@ecs-ab49 ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@ecs-ab49 ~]# rpm -qa|grep openssl
openssl-libs-1.0.2k-26.el7_9.x86_64
openssl-1.0.2k-26.el7_9.x86_64

 没有openssl 服务可以安装openssl openssl-devel

[root@ecs-ab49 ~]# yum install openssl-devel openssl

(2)zlib和zlib-devel服务依赖:
Zlib1.1.4或1.2.1.2或更高版本

[root@ecs-ab49 ~]# rpm -q zlib  rpm -q zlib-devel
zlib-1.2.7-21.el7_9.x86_64
package  rpm is not installed
package zlib-devel is not installed

注:这里没有zlib-devel服务 

[root@ecs-ab49 ~]# yum install zlib-devel
Loaded plugins: fastestmirror
Determining fastest mirrors
base                                                                                                                                                                               | 3.6 kB  00:00:00     
epel                                                                                                                                                                               | 4.3 kB  00:00:00     
extras                                                                                                                                                                             | 2.9 kB  00:00:00     
updates                                                                                                                                                                            | 2.9 kB  00:00:00     
(1/7): epel/x86_64/group                                                                                                                                                           | 399 kB  00:00:00     
(2/7): epel/x86_64/updateinfo                                                                                                                                                      | 1.0 MB  00:00:00     
(3/7): base/7/x86_64/group_gz                                                                                                                                                      | 153 kB  00:00:00     
(4/7): base/7/x86_64/primary_db                                                                                                                                                    | 6.1 MB  00:00:00     
(5/7): epel/x86_64/primary_db                                                                                                                                                      | 8.7 MB  00:00:00     
(6/7): updates/7/x86_64/primary_db                                                                                                                                                 |  27 MB  00:00:00     
(7/7): extras/7/x86_64/primary_db                                                                                                                                                  | 253 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.x86_64 0:1.2.7-21.el7_9 will be installed
--> Finished Dependency ResolutionDependencies Resolved==========================================================================================================================================================================================================Package                                          Arch                                         Version                                                Repository                                     Size
==========================================================================================================================================================================================================
Installing:zlib-devel                                       x86_64                                       1.2.7-21.el7_9                                         updates                                        50 kTransaction Summary
==========================================================================================================================================================================================================
Install  1 PackageTotal download size: 50 k
Installed size: 132 k
Is this ok [y/d/N]: y
Downloading packages:
zlib-devel-1.2.7-21.el7_9.x86_64.rpm                                                                                                                                               |  50 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.Installing : zlib-devel-1.2.7-21.el7_9.x86_64                                                                                                                                                       1/1 Verifying  : zlib-devel-1.2.7-21.el7_9.x86_64                                                                                                                                                       1/1 Installed:zlib-devel.x86_64 0:1.2.7-21.el7_9                                                                                                                                                                      Complete!

再次检查zlib和zlib-devel依赖服务:

[root@ecs-ab49 ~]# rpm -q zlib zlib-devel
zlib-1.2.7-21.el7_9.x86_64
zlib-devel-1.2.7-21.el7_9.x86_64

(3)GCC依赖:

查看gcc版本

[root@ecs-ab49 ~]# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-linker-hash-style=gnu --enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin --enable-initfini-array --disable-libgcj --with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install --with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)

 没有gcc 直接安装

[root@ecs-ab49 ~]# yum install gcc

(4)安装pam-devel

[root@ecs-ab49 ~]# yum install -y pam-devel

 

3、安装telnet和xinetd服务:

升级过程未防止升级失败,需要先开启telnet服务,防止升级失败连接不上远程主机。

(1) 安装telnet服务:

[root@ecs-ab49 ~]# rpm -qa | grep telnet

[root@ecs-ab49 ~]# yum list |grep telnet 
dcap-tunnel-telnet.x86_64                2.47.14-1.el7                 epel     
libguac-client-telnet.x86_64             1:1.5.5-1.el7                 epel     
libtelnet.x86_64                         0.23-1.el7                    epel     
libtelnet-devel.x86_64                   0.23-1.el7                    epel     
libtelnet-utils.x86_64                   0.23-1.el7                    epel     
telnet.x86_64                            1:0.17-66.el7                 updates  
telnet-server.x86_64                     1:0.17-66.el7                 updates  

[root@ecs-ab49 ~]# yum install telnet-server.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package telnet-server.x86_64 1:0.17-66.el7 will be installed
--> Finished Dependency ResolutionDependencies Resolved==========================================================================================================================================================================================================Package                                             Arch                                         Version                                             Repository                                     Size
==========================================================================================================================================================================================================
Installing:telnet-server                                       x86_64                                       1:0.17-66.el7                                       updates                                        41 kTransaction Summary
==========================================================================================================================================================================================================
Install  1 PackageTotal download size: 41 k
Installed size: 55 k
Is this ok [y/d/N]: y
Downloading packages:
telnet-server-0.17-66.el7.x86_64.rpm                                                                                                                                               |  41 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transactionInstalling : 1:telnet-server-0.17-66.el7.x86_64                                                                                                                                                     1/1 Verifying  : 1:telnet-server-0.17-66.el7.x86_64                                                                                                                                                     1/1 Installed:telnet-server.x86_64 1:0.17-66.el7                                                                                                                                                                      Complete!

(2)安装xinetd服务:

[root@ecs-ab49 ~]# rpm -qa | grep xinetd
[root@ecs-ab49 ~]# yum list |grep xinetd
xinetd.x86_64                            2:2.3.15-14.el7               base  
[root@ecs-ab49 ~]# yum install xinetd.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package xinetd.x86_64 2:2.3.15-14.el7 will be installed
--> Finished Dependency ResolutionDependencies Resolved==========================================================================================================================================================================================================Package                                        Arch                                           Version                                                 Repository                                    Size
==========================================================================================================================================================================================================
Installing:xinetd                                         x86_64                                         2:2.3.15-14.el7                                         base                                         128 kTransaction Summary
==========================================================================================================================================================================================================
Install  1 PackageTotal download size: 128 k
Installed size: 261 k
Is this ok [y/d/N]: y
Downloading packages:
xinetd-2.3.15-14.el7.x86_64.rpm                                                                                                                                                    | 128 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transactionInstalling : 2:xinetd-2.3.15-14.el7.x86_64                                                                                                                                                          1/1 Verifying  : 2:xinetd-2.3.15-14.el7.x86_64                                                                                                                                                          1/1 Installed:xinetd.x86_64 2:2.3.15-14.el7                                                                                                                                                                           Complete!

 启动telnet服务和xinetd服务,并验证登入:

[root@ecs-ab49 ~]# systemctl enable telnet.socket 
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@ecs-ab49 ~]# systemctl start telnet.socket 
[root@ecs-ab49 ~]# systemctl status telnet.socket 
● telnet.socket - Telnet Server Activation SocketLoaded: loaded (/usr/lib/systemd/system/telnet.socket; enabled; vendor preset: disabled)Active: active (listening) since Thu 2025-03-27 11:33:22 CST; 8s agoDocs: man:telnetd(8)Listen: [::]:23 (Stream)Accepted: 0; Connected: 0Mar 27 11:33:22 ecs-ab49 systemd[1]: Listening on Telnet Server Activation Socket.

[root@ecs-ab49 ~]# systemctl enable xinetd 
[root@ecs-ab49 ~]# systemctl start xinetd
[root@ecs-ab49 ~]# systemctl status xinetd
● xinetd.service - Xinetd A Powerful Replacement For InetdLoaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)Active: active (running) since Thu 2025-03-27 11:33:45 CST; 4s agoProcess: 10174 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)Main PID: 10175 (xinetd)CGroup: /system.slice/xinetd.service└─10175 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pidMar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing tcpmux
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: Started working: 0 available services
Mar 27 11:33:45 ecs-ab49 systemd[1]: Started Xinetd A Powerful Replacement For Inetd.

登入验证:

4、升级openssh版本:

(1)对原来的openssh相关的文件进行备份

[root@ecs-ab49 ~]# cp -r -a /etc/ssh/ /etc/ssh.bak
[root@ecs-ab49 ~]# cp -r -a /etc/pam.d/ /etc/pam.d.bak
[root@ecs-ab49 ~]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak

 (2)下载openssh-8.0p1源码包:

[root@ecs-ab49 ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
--2025-03-27 11:42:18--  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.91.52
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.91.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1597697 (1.5M) [application/octet-stream]
Saving to: ‘openssh-8.0p1.tar.gz’100%[================================================================================================================================================================>] 1,597,697   1.53MB/s   in 1.0s   2025-03-27 11:42:22 (1.53 MB/s) - ‘openssh-8.0p1.tar.gz’ saved [1597697/1597697]

解压openssh-8.0p1包:

[root@ecs-ab49 ~]# tar -zxvf  openssh-8.0p1.tar.gz

(3)卸载原系统的openssh包

rpm方式卸载命令

[root@ecs-ab49 ~]# rpm -e --nodeps `rpm -qa | grep openssh`

yum方式卸载

[root@ecs-ab49 ~]# yum remove openssh

(4)源码编译:

[root@ecs-ab49 ~]# cd openssh-8.0p1
[root@ecs-ab49 openssh-8.0p1]# ./configure --prefix=/usr/local/openssh8p1 --sysconfdir=/etc/ssh --with-pam --with-zlib

结果:

 (5)安装make 和make install :

[root@ecs-ab49 openssh-8.0p1]# make &&sudo make install

(6)配置openssh文件

[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/etc/sshd_config /etc/ssh/sshd_config
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/sbin/sshd /usr/sbin/sshd
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh /usr/bin/ssh
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh-keygen /usr/bin/ssh-keygen
[root@ecs-ab49 openssh-8.0p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd

(7)文件授权

[root@ecs-ab49 openssh-8.0p1]# chmod +x /etc/init.d/sshd


(8)配置文件更改(根据需要)

[root@ecs-ab49 openssh-8.0p1]# vi /etc/ssh/sshd_config

添加以下内容:

PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

注释以下内容:

# .#TCPKeepAlive yes 

(9)设置开机启动

[root@ecs-ab49 openssh-8.0p1]# systemctl enable sshd

(10)重启服务

[root@ecs-ab49 openssh-8.0p1]# systemctl restart sshd

(11)验证ssh版本:

[root@ecs-ab49 ssh]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

验证openssh漏洞是否修复了,结果是修复了的

5、卸载telnet服务和xinetd服务:

(1)查看相关的telnet和xinetd版本

[root@ecs-ab49 ssh]# rpm -qa |grep telnet
[root@ecs-ab49 ssh]# yum remove -y telnet-server-0.17-48.el6.x86_64[root@ecs-ab49 ssh]# yum remove -y rpm  –e  telnet-server.x86_64

(2)将修改后的securetty的文件修改过来

[root@ecs-ab49 ssh]# mv  /etc/securetty.bak  /etc/securetty

到此,centos 7.9 64bit的penssh漏洞就修复完成了。


http://www.ppmy.cn/devtools/172205.html

相关文章

【模拟面试】计算机考研复试集训(第十五天)

【模拟面试】计算机考研复试集训(第十五天)

文章目录 前言一、专业面试1. CAP定理的含义是什么?举例说明在实际系统中的权衡。2. TCP协议如何通过滑动窗口机制实现流量控制?3. 单元测试与集成测试的主要区别是什么?举一例说明两者的互补性。4. 什么是卷积神经网络(CNN&#…
阅读更多...
WEB或移动端常用交互元素及组件 | Axure / 元件类型介绍(表单元件、菜单和表格 、流程元件、标记元件)

WEB或移动端常用交互元素及组件 | Axure / 元件类型介绍(表单元件、菜单和表格 、流程元件、标记元件)

文章目录 引言I Axure / 元件类型介绍基本元件表单元件菜单和表格流程元件标记元件II Axure 基础Axure / 常用功能介绍Axure / 常用元素实例Axure / 动态交互实例Axure / 常用设计分辨率推荐III Axure / 创建自己的元件库元件库作用元件库的创建及使用引言 I Axure / 元件类型介…
阅读更多...
Rust从入门到精通之进阶篇:11.所有权系统详解

Rust从入门到精通之进阶篇:11.所有权系统详解

所有权系统详解 所有权(Ownership)是 Rust 最独特的特性,它使 Rust 能够在不需要垃圾回收的情况下保证内存安全。在本章中,我们将深入探讨所有权系统的工作原理、借用规则和生命周期概念。 所有权规则回顾 首先,让我…
阅读更多...
将网页操作的脚本自动保存成yaml ,然后修改使用

将网页操作的脚本自动保存成yaml ,然后修改使用

可以使用 Playwright 更优雅地实现你的需求,它相比 Selenium 具有更现代化的 API 和更好的浏览器控制能力。以下是基于 Playwright 的改进方案: --- ### **1. Playwright 核心优势** - **内置自动等待**:无需手动处理元素加载等待 - **多浏…
阅读更多...
安装Webpack并创建vue项目

安装Webpack并创建vue项目

1、新建一个工程目录 在E盘中进行新建项目 2、从命令行进入该目录,并执行NPM 的初始化命令 3、会看到目录中生成了一个“package.json”文件,它相当于NPM项目的说明书,里面记录了项目名称、版本、仓库地址等信息。 4、执行安装 Webpack 的命令 npm install webpac…
阅读更多...
鸿蒙OS 5.0 服务能力框架深入剖析

鸿蒙OS 5.0 服务能力框架深入剖析

鸿蒙OS 5.0 服务能力框架中关键类的作用分析 1\. 鸿蒙OS 5.0 服务能力框架导论 鸿蒙OS 5.0,亦称鸿蒙智联 5 1,标志着华为在分布式操作系统领域迈出的重要一步。与早期版本采用兼容安卓的AOSP层、Linux内核以及LiteOS内核不同,鸿蒙OS 5.0 专注…
阅读更多...
如何快速看懂并修改神经网络

如何快速看懂并修改神经网络

前言:个人之见,一个神经网络网络源码出现,你先看数据集的输入和输出,而这数据集肯定要包括数据增加和制作数据集,第二 看模型的输入和输出(至于模型内部可以自己看论文 无非就是加了几个组件),然…
阅读更多...
deepseek(2)——deepseek 关键技术

deepseek(2)——deepseek 关键技术

1 Multi-Head Latent Attention (MLA) MLA的核心在于通过低秩联合压缩来减少注意力键(keys)和值(values)在推理过程中的缓存,从而提高推理效率: c t K V W D K V h t c_t^{KV} W^{DKV}h_t ctKV​WDKVht​…
阅读更多...
最新文章

Copyright @ 2022~2023