## **CentOS 7.6升級OpenSSH修復CVE-2023-38408漏洞** ### **步驟 1：配置Telnet服務，防止升級失敗進不去系統** （1）關閉firewalld和SELinux ``` setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config cat /etc/selinux/config systemctl stop firewalld.service systemctl disable firewalld.service # 恢復 SELinux sed -i "s/SELINUX=disabled/SELINUX=enforcing/g" /etc/selinux/config setenforce 1 systemctl enable firewalld systemctl start firewalld ``` （2）安裝Telnet服務端： ``` yum -y install xinetd telnet-server ``` （3）允許root用戶登錄： ``` echo -e "pts/0\npts/1\npts/2\npts/3\npts/4\npts/5" >> /etc/securetty tail -6 /etc/securetty ``` （4）修改Telnet默認TCP/23端口： ``` grep -w "^telnet" /etc/services sed -i "s#23/tcp#23023/tcp#" /etc/services sed -i "s#23/udp#23023/udp#" /etc/services grep -w "^telnet" /etc/services #結果 #telnet 23023/tcp #telnet 23023/udp grep -w "^ListenStream" /usr/lib/systemd/system/telnet.socket sed -i "s/ListenStream=23/ListenStream=23023/" /usr/lib/systemd/system/telnet.socket grep -w "^ListenStream" /usr/lib/systemd/system/telnet.socket #結果 #ListenStream=23023 ``` （5）啟動服務： ``` systemctl start xinetd systemctl enable xinetd systemctl start telnet.socket systemctl enable telnet.socket ss -tunlp | grep 23023 ``` （6）測試： 如果還沒安裝telnet客戶端的 ``` yum -y install telnet -y ``` 連接，輸入賬號密碼登陸成功 ``` telnet 127.0.0.1 23023 ``` ### **步驟 2：升級OpenSSH** （1）備份數據： ``` cd /etc/ssh cp sshd_config{,.bak} cd /etc/pam.d cp sshd{,.bak} #避免后續編譯安裝出現沒權限 chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key ``` （2）安裝依賴軟件包： ``` yum -y install gcc gcc-c++ zlib-devel openssl-devel pam-devel ``` （3）卸載舊版本，編譯安裝新版本OpenSSH： ``` rpm -qa | grep openssh rpm -e --nodeps `rpm -qa | grep openssh` ``` （4）下載、編譯、安裝： 直接阿里云下載源 https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/ ``` wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz tar -xf openssh-9.5p1.tar.gz -C /usr/src cd /usr/src/openssh-9.5p1 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-pam --with-ssl-dir=/usr/local/ssl echo $? make -j $(awk '/processor/{i++}END{print i}' /proc/cpuinfo) echo $? make install echo $? ``` （5）復制配置文件并授權： ``` cp -a contrib/redhat/sshd.init /etc/init.d/sshd chmod u+x /etc/init.d/sshd ``` （6）復制配置文件并授權： ``` cd /etc/ssh mv -f sshd_config.bak sshd_config cd /etc/pam.d mv -f sshd.bak sshd ``` （7）允許root用戶遠程登錄： ``` sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config ``` （8）設置開機自啟： ``` chkconfig --add sshd chkconfig sshd on chkconfig --list ``` （9）重啟SSH： ``` systemctl restart sshd ``` （10）版本驗證： ``` [root@VM-12-6-centos ~]# ssh -V OpenSSH_9.5p1, OpenSSL 3.1.3 19 Sep 2023 ```