1、绿盟科技"远程安全评估系统"安全评估报告我们的一台服务器有漏洞,
漏洞如下:
Ubuntu OpenSSH 安全限制绕过漏洞(CVE-2016-10012)
Ubuntu OpenSSH auth_password函数拒绝服务漏洞(CVE-2016-6515)
Ubuntu OpenSSH 多个拒绝服务漏洞(CVE-2016-10708)
Ubuntu OpenSSH 远程代码执行漏洞(CVE-2016-10009)
Ubuntu OpenSSH 远程权限提升漏洞(CVE-2016-10010)
Ubuntu OpenSSH 用户枚举漏洞(CVE-2016-6210)
Ubuntu OpenSSH 安全漏洞(CVE-2017-15906)
Ubuntu OpenSSH 安全漏洞(CVE-2018-15473)
综合考虑之下,都是软件版本太低导致的漏洞,解决方法就是给我们的ubuntu服务器升级ssl和openssh
2、确定当前操作环境(请使用root账户操作)
root@ubuntu:~# cat /etc/issue
Ubuntu 16.04.7 LTS \n \l
root@ubuntu:~# uname -r
4.4.0-186-generic
root@ubuntu:~#
root@ubuntu:~# echo $0
-bash
root@ubuntu:~# bash --version
GNU bash, version 4.3.48(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
root@ubuntu:~#
root@ubuntu:~# openssl version
OpenSSL 1.0.2g 1 Mar 2016
root@ubuntu:~#
root@ubuntu:~# ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g 1 Mar 2016
root@ubuntu:~#
Ubuntu 16.04.7 默认的环境版本
内核版本: Linux 4.4.0-186-generic
Shell: bash 4.3.48(1)-release (x86_64-pc-linux-gnu)
openssl版本: OpenSSL 1.0.2g 1 Mar 2016
openssh版本: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
3、安装telnet(确保网络可以访问到外网)
apt-get install openbsd-inetd telnetd telnet
/etc/init.d/openbsd-inetd restart # 启动服务
netstat -anpt|grep 23 # 查看telnet服务的默认端口是否启动
telnet localhost # 测试登录
退出ssh登录,以telnet方式进入服务器,进入之前下载包的目录
telnet 10.0.0.7
Connecting to 10.0.0.7:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Ubuntu 16.04.7 LTS
ubuntu login: dq
Password:
dq@ubuntu:~$
dq@ubuntu:~$ sudo -i
[sudo] password for dq:
root@ubuntu:~#
root@ubuntu:~# whoami
root
root@ubuntu:~#
4、下载需要的包
服务器上找个目录存放这次升级要下载的包,进入该目录依次下载3个压缩包
wget https://www.zlib.net/fossils/zlib-1.2.11.tar.gz
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1l.tar.gz
wget --no-check-certificate https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
5、卸载ssh并安装编译环境
service ssh stop
service ssh status
apt-get remove openssh-server openssh-client openssh-sftp-server
apt-get install libpam0g-dev -y
apt-get install make -y
apt-get install gcc -y
6、安装依赖包zlib
tar xzvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib
make
make install
构建共享库
make clean
./configure --shared
make
make install
cp zutil.h /usr/local/include
cp zutil.c /usr/local/include
7、升级更新openssl版本
回到下载包的目录,依次执行以下命令
tar zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l
./config shared zlib
make
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ldconfig -v
查看是否升级成功
openssl version -a
8、升级SSH
service ssh stop
service ssh status
mv /etc/init.d/ssh /etc/init.d/ssh.old
mv /etc/ssh /etc/ssh.old
killall -9 ssh
ps -ef | grep "ssh"
tar xzvf openssh-8.8p1.tar.gz
cd openssh-8.8p1/
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-pam --with-zlib \
--with-ssl-dir=/usr/local \
--with-privsep-path=/var/lib/sshd
make
make install
检查新的ssh版本
ssh -V
还原旧版本的配置文件
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.default
cp /etc/ssh.old/sshd_config /etc/ssh/sshd_config
mv /etc/init.d/ssh.old /etc/init.d/ssh
systemctl unmask ssh
systemctl restart ssh
systemctl status ssh
status看一下,有一些选项弃用了,需要注释掉
root@ubuntu:~# systemctl status ssh
vim /etc/ssh/sshd_config
编辑配置文件,把对应的行注释掉就行,然后重启ssh服务,查看服务状态
root@ubuntu:~# systemctl restart ssh
root@ubuntu:~#
root@ubuntu:~# systemctl status ssh
● ssh.service - LSB: OpenBSD Secure Shell server
Loaded: loaded (/etc/init.d/ssh; bad; vendor preset: enabled)
Active: active (running) since Fri 2022-11-18 11:45:57 HKT; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 31432 ExecStop=/etc/init.d/ssh stop (code=exited, status=0/SUCCESS)
Process: 31444 ExecStart=/etc/init.d/ssh start (code=exited, status=0/SUCCESS)
Main PID: 1228 (code=exited, status=0/SUCCESS)
Tasks: 1
Memory: 552.0K
CPU: 12ms
CGroup: /system.slice/ssh.service
└─31454 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startup
Nov 18 11:45:57 ubuntu systemd[1]: Starting LSB: OpenBSD Secure Shell server...
Nov 18 11:45:57 ubuntu ssh[31444]: * Starting OpenBSD Secure Shell server sshd
Nov 18 11:45:57 ubuntu ssh[31444]: ...done.
Nov 18 11:45:57 ubuntu sshd[31454]: Server listening on 0.0.0.0 port 22.
Nov 18 11:45:57 ubuntu sshd[31454]: Server listening on :: port 22.
Nov 18 11:45:57 ubuntu systemd[1]: Started LSB: OpenBSD Secure Shell server.
更新完成后,sftp连接不上!!!
解决方法
vim /etc/ssh/sshd_config
77 #Subsystem sftp /usr/lib/openssh/sftp-server
78 Subsystem sftp internal-sftp
注释掉77行新增78行
然后重启ssh服务
systemctl restart ssh
9、使用ssh登录并且关闭telnet服务
/etc/init.d/openbsd-inetd stop
/etc/init.d/openbsd-inetd status
systemctl disable inetd.service