1. The security assessment report of NSFOCUS "Remote Security Assessment System" has a vulnerability in one of our servers,
The vulnerabilities are as follows:
Ubuntu OpenSSH Security Restriction Bypass Vulnerability (CVE-2016-10012)
Ubuntu OpenSSH auth_password function denial of service vulnerability (CVE-2016-6515)
Multiple Denial of Service Vulnerabilities in Ubuntu OpenSSH (CVE-2016-10708)
Ubuntu OpenSSH Remote Code Execution Vulnerability (CVE-2016-10009)
Ubuntu OpenSSH Remote Privilege Escalation Vulnerability (CVE-2016-10010)
Ubuntu OpenSSH User Enumeration Vulnerability (CVE-2016-6210)
Ubuntu OpenSSH Security Vulnerability (CVE-2017-15906)
Ubuntu OpenSSH Security Vulnerability (CVE-2018-15473)
After comprehensive consideration, it is a vulnerability caused by too low software version. The solution is to upgrade ssl and openssh for our ubuntu server
2. Determine the current operating environment (please use the root account to operate)
root@ubuntu:~# cat /etc/issue
Ubuntu 16.04.7 LTS \n \l
root@ubuntu:~# uname -r
4.4.0-186-generic
root@ubuntu:~#
root@ubuntu:~# echo $0
-bash
root@ubuntu:~# bash --version
GNU bash, version 4.3.48(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
root@ubuntu:~#
root@ubuntu:~# openssl version
OpenSSL 1.0.2g 1 Mar 2016
root@ubuntu:~#
root@ubuntu:~# ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g 1 Mar 2016
root@ubuntu:~#
Ubuntu 16.04.7 default environment version
Kernel version: Linux 4.4.0-186-generic
Shell: bash 4.3.48(1)-release (x86_64-pc-linux-gnu)
openssl version: OpenSSL 1.0.2g 1 Mar 2016
openssh version: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
3. Install telnet (ensure that the network can access the external network)
apt-get install openbsd-inetd telnetd telnet
/etc/init.d/openbsd-inetd restart # 启动服务
netstat -anpt|grep 23 # 查看telnet服务的默认端口是否启动
telnet localhost # 测试登录
Exit ssh login, enter the server by telnet, and enter the directory where the package was downloaded before
telnet 10.0.0.7
Connecting to 10.0.0.7:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Ubuntu 16.04.7 LTS
ubuntu login: dq
Password:
dq@ubuntu:~$
dq@ubuntu:~$ sudo -i
[sudo] password for dq:
root@ubuntu:~#
root@ubuntu:~# whoami
root
root@ubuntu:~#
4. Download the required packages
Find a directory on the server to store the packages to be downloaded for this upgrade, enter the directory and download 3 compressed packages in turn
wget https://www.zlib.net/fossils/zlib-1.2.11.tar.gz
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1l.tar.gz
wget --no-check-certificate https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
5. Uninstall ssh and install the compilation environment
service ssh stop
service ssh status
apt-get remove openssh-server openssh-client openssh-sftp-server
apt-get install libpam0g-dev -y
apt-get install make -y
apt-get install gcc -y
6. Install the dependency package zlib
tar xzvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib
make
make install
构建共享库
make clean
./configure --shared
make
make install
cp zutil.h /usr/local/include
cp zutil.c /usr/local/include
7. Upgrade and update the openssl version
Go back to the directory where you downloaded the package, and execute the following commands in sequence
tar zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l
./config shared zlib
make
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ldconfig -v
查看是否升级成功
openssl version -a
8. Upgrade SSH
service ssh stop
service ssh status
mv /etc/init.d/ssh /etc/init.d/ssh.old
mv /etc/ssh /etc/ssh.old
killall -9 ssh
ps -ef | grep "ssh"
tar xzvf openssh-8.8p1.tar.gz
cd openssh-8.8p1/
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-pam --with-zlib \
--with-ssl-dir=/usr/local \
--with-privsep-path=/var/lib/sshd
make
make install
检查新的ssh版本
ssh -V
还原旧版本的配置文件
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.default
cp /etc/ssh.old/sshd_config /etc/ssh/sshd_config
mv /etc/init.d/ssh.old /etc/init.d/ssh
systemctl unmask ssh
systemctl restart ssh
systemctl status ssh
Take a look at status, some options are deprecated and need to be commented out
root@ubuntu:~# systemctl status ssh
vim /etc/ssh/sshd_config
Edit the configuration file, comment out the corresponding line, then restart the ssh service to check the service status
root@ubuntu:~# systemctl restart ssh
root@ubuntu:~#
root@ubuntu:~# systemctl status ssh
● ssh.service - LSB: OpenBSD Secure Shell server
Loaded: loaded (/etc/init.d/ssh; bad; vendor preset: enabled)
Active: active (running) since Fri 2022-11-18 11:45:57 HKT; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 31432 ExecStop=/etc/init.d/ssh stop (code=exited, status=0/SUCCESS)
Process: 31444 ExecStart=/etc/init.d/ssh start (code=exited, status=0/SUCCESS)
Main PID: 1228 (code=exited, status=0/SUCCESS)
Tasks: 1
Memory: 552.0K
CPU: 12ms
CGroup: /system.slice/ssh.service
└─31454 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startup
Nov 18 11:45:57 ubuntu systemd[1]: Starting LSB: OpenBSD Secure Shell server...
Nov 18 11:45:57 ubuntu ssh[31444]: * Starting OpenBSD Secure Shell server sshd
Nov 18 11:45:57 ubuntu ssh[31444]: ...done.
Nov 18 11:45:57 ubuntu sshd[31454]: Server listening on 0.0.0.0 port 22.
Nov 18 11:45:57 ubuntu sshd[31454]: Server listening on :: port 22.
Nov 18 11:45:57 ubuntu systemd[1]: Started LSB: OpenBSD Secure Shell server.
After the update is complete, the sftp connection cannot be made!!!
Solution
vim /etc/ssh/sshd_config
77 #Subsystem sftp /usr/lib/openssh/sftp-server
78 Subsystem sftp internal-sftp
注释掉77行新增78行
然后重启ssh服务
systemctl restart ssh
9. Use ssh to log in and close the telnet service
/etc/init.d/openbsd-inetd stop
/etc/init.d/openbsd-inetd status
systemctl disable inetd.service