最近的,openssl/openssh等相继漏洞的暴露,让暴露在公网的linux.沦陷为肉鸡的正营。。。
没办法,还是升级版本。。。
00、openssh简介
OpenSSH 是一组安全远程的连接工具,主要包括了几个部份:ssh、sshd、scp、sftp、ssh-keygen、ssh-agent、ssh-add等
ssh(SSH 客户端,用于登录建立连接,是 rlogin 与 Telnet的安全替代方案)
sshd (SSH 服务端,典型的独立守护进程)
scp、sftp (文件安全传输工具,rcp、ftp 安全的替代方案)
ssh-keygen (用于产生 RSA 或 DSA 密钥)
ssh-agent、ssh-add(帮助用户不需要每次都要输入金钥密码的工具)
01、编译前的准备工作
下载openssh:
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
A: 已经安装了openssl(新版本的,编译安装的)
B:或者基于本机的openssl(yum install -y openssl-devel)
openssl version -a #查看当前版本的openssl
ssh -V #当前openssh编译的版本
yum install -y zlib-devel #如果编译参数压缩的需要安装
02、编译安装 OpenSSH
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh2 --with-ssl-dir=/usr/local/openssl #如果openssl已经基于源码升级需要加此参数,但基于本机openssl的不需要添加
make -j4 && make install
解释:
--prefix 安装目录
--sysconfdir 配置文件目录 #当前的/etc/ssh 目的不覆盖,也可以基于本机直接覆盖安装
--with-ssl-dir 指定 OpenSSL 的安装目录(基于源码安装的)
03、备份OpenSSH 旧配置文件
mv /etc/init.d/sshd /etc/init.d/sshd.bak
04、修改ssh启动脚本
openssh-7.4p1\contrib\redhat\sshd.init sshd就是根据sshd,init修改的针对redhat发行版本
根据实际情况修正的sshd脚本 /etc/init.d/sshd
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig:
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid # source function library
. /etc/rc.d/init.d/functions # pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd RETVAL=
prog="sshd" # Some functions to make the below more readable
SSHD=/usr/local/openssh/sbin/sshd #按实际情况调整
PID_FILE=/var/run/sshd.pid do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ $RETVAL -ne ]; then
failure $"Configuration file or keys are invalid"
echo
fi
} start()
{
# Create keys if necessary
/usr/local/openssh/bin/ssh-keygen -A #按实际情况调整
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh2/ssh_host_key.pub
/sbin/restorecon /etc/ssh2/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh2/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh2/ssh_host_ecdsa_key.pub
fi echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq ] && touch /var/lock/subsys/sshd
echo
} stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ $RETVAL -eq ] && rm -f /var/lock/subsys/sshd
echo
} reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
} case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ $RETVAL -eq ] ; then
stop
# avoid race
sleep
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=
esac
exit $RETVAL
chmod +x /etc/init.d/sshd
添加允许root远程登录
/etc/ssh2/sshd_config
PermitRootLogin yes
05、设置环境变量
vim /etc/profile
export PATH=/usr/local/openssh/bin:$PATH
source /etc/profile
06、开机自启动 sshd
service sshd restart
chkconfig sshd on
07、openssh编译参数
[root@rhel openssh-7.4p1]# ./configure --help
`configure' configures OpenSSH Portable to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root [DATAROOTDIR/doc/openssh]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--disable-largefile omit support for large files
--disable-pkcs11 disable PKCS#11 support code [no]
--disable-strip Disable calling strip(1) on install
--disable-etc-default-login Disable using PATH from /etc/default/login no
--disable-lastlog disable use of lastlog even if detected no
--disable-utmp disable use of utmp even if detected no
--disable-utmpx disable use of utmpx even if detected no
--disable-wtmp disable use of wtmp even if detected no
--disable-wtmpx disable use of wtmpx even if detected no
--disable-libutil disable use of libutil (login() etc.) no
--disable-pututline disable use of pututline() etc. (uwtmp) no
--disable-pututxline disable use of pututxline() etc. (uwtmpx) no
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
--with-ssh1 Enable support for SSH protocol 1
--without-stackprotect Don't use compiler's stack protection
--without-hardening Don't use toolchain hardening flags
--without-rpath Disable auto-added -R linker paths
--with-cflags Specify additional flags to pass to compiler
--with-cppflags Specify additional flags to pass to preprocessor
--with-ldflags Specify additional flags to pass to linker
--with-libs Specify additional libraries to link with
--with-Werror Build main code with -Werror
--with-solaris-contracts Enable Solaris process contracts (experimental)
--with-solaris-projects Enable Solaris projects (experimental)
--with-solaris-privs Enable Solaris/Illumos privileges (experimental)
--with-osfsia Enable Digital Unix SIA
--with-zlib=PATH Use zlib in PATH
--without-zlib-version-check Disable zlib version check
--with-skey[=PATH] Enable S/Key support (optionally in PATH)
--with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
--with-audit=module Enable audit support (modules=debug,bsm,linux)
--with-pie Build Position Independent Executables if possible
--with-ssl-dir=PATH Specify path to OpenSSL installation #源码编译openssl需要指定
--without-openssl-header-check Disable OpenSSL version consistency check
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
--with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT
--with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
--with-pam Enable PAM support
--with-pam-service=name Specify PAM service name
--with-privsep-user=user Specify non-privileged user for privilege separation
--with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)
--with-selinux Enable SELinux support
--with-kerberos5=PATH Enable Kerberos 5 support
--with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
--with-xauth=PATH Specify path to xauth program
--with-maildir=/path/to/mail Specify your system mail directory
--with-mantype=man|cat|doc Set man page type
--with-md5-passwords Enable use of MD5 passwords
--without-shadow Disable shadow password support
--with-ipaddr-display Use ip address instead of hostname in $DISPLAY
--with-default-path= Specify default $PATH environment for server
--with-superuser-path= Specify different path for super-user
--with-4in6 Check for and convert IPv4 in IPv6 mapped addresses
--with-bsd-auth Enable BSD auth support
--with-pid-dir=PATH Specify location of ssh.pid file
--with-lastlog=FILE|DIR specify lastlog location common locations
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /etc/ssh2
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE Preprocessor flags: -I/usr/local/openssl/include
Linker flags: -L/usr/local/openssl/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-
protector-all -pie Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv