通过网盘分享的文件:centos漏洞修复ssh.zip
链接: https://pan.baidu.com/s/1yQ4iowqrASuv8gv9OdfIGA?pwd=6666 提取码: 6666
--来自百度网盘超级会员v6的分享
centos漏洞修复ssh.zip - 蓝奏云 蓝奏云分享地址
使用说明:
centos7.9的openssh漏洞修复脚本,天天让我修漏洞
此脚本适用于内网环境,只有本地iso的yum源,把iso挂上,确保系统光盘已插入或ISO镜像
将脚本保存为 ssh_upgrade.sh
上传两个源码包到 /usr/local/src/ 目录:
openssl-1.1.1w.tar.gz
openssh-9.9p2.tar.gz
给脚本添加执行权限:chmod +x ssh_upgrade.sh
执行脚本:./ssh_upgrade.sh
注意事项:
windows写的,执行一下,转换'\r'脚本格式 sed -i 's/\r$//' script.sh
建议在物理控制台或通过nohup方式执行,避免SSH连接中断
脚本执行完成后请验证SSH连接是否正常
如果遇到问题,可以查看备份文件在 /root/ssh_backup/ 目录
确保系统光盘已插入或ISO镜像已挂载到/dev/sr0
此脚本会清空备份/etc/yum.repos.d/ 只留下local.repo
要重新执行脚本,只需删除标记文件:
rm -f /root/.ssh_upgrade_completed /root/.ssh_upgrade_started
#!/bin/bash
# 检查是否已经执行过升级
if [ -f /root/.ssh_upgrade_completed ]; then
echo "检测到之前已经完成SSH升级,跳过执行。"
echo "如需重新执行,请删除 /root/.ssh_upgrade_completed 文件"
exit 0
fi
# 记录执行开始
echo "开始执行SSH升级脚本..."
date > /root/.ssh_upgrade_started
# 挂载光盘(如果尚未挂载)
if ! mountpoint -q /mnt; then
echo "挂载光盘..."
mount /dev/sr0 /mnt
else
echo "光盘已经挂载,跳过挂载步骤"
fi
# 创建本地yum源配置(如果尚未创建)
if [ ! -f /etc/yum.repos.d/local.repo ]; then
echo "创建本地yum源配置..."
mkdir /etc/yum.repos.d/bak
mv /etc/yum.repos.d/* /etc/yum.repos.d/bak/
cat > /etc/yum.repos.d/local.repo << 'EOF'
[local]
name=local
baseurl=file:///mnt
enabled=1
gpgcheck=0
EOF
yum makecache
else
echo "yum源配置已存在,跳过创建"
fi
# 创建SSH备份目录(如果尚未创建)
if [ ! -d /root/ssh_backup ]; then
echo "创建SSH备份目录..."
mkdir -p /root/ssh_backup
cp -r /etc/ssh/* /root/ssh_backup/
cp /etc/sysconfig/sshd /root/ssh_backup/
else
echo "SSH备份目录已存在,跳过创建"
fi
# 安装编译依赖
echo "安装编译依赖..."
yum install -y gcc make zlib-devel perl pam-devel tcp_wrappers-devel
# 切换到源码目录
cd /usr/local/src
# 检查源码文件是否存在
if [[ ! -f openssl-1.1.1w.tar.gz ]]; then
echo "错误:openssl-1.1.1w.tar.gz 文件不存在"
exit 1
fi
if [[ ! -f openssh-9.9p2.tar.gz ]]; then
echo "错误:openssh-9.9p2.tar.gz 文件不存在"
exit 1
fi
# 检查是否已安装目标版本的OpenSSL
if openssl version | grep -q "1.1.1w"; then
echo "OpenSSL 1.1.1w 已经安装,跳过OpenSSL升级"
else
echo "升级OpenSSL..."
tar -zxf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
make && make install
# 配置OpenSSL库路径
echo "/usr/local/openssl/lib" > /etc/ld.so.conf.d/openssl.conf
ldconfig -v
if [ -f /usr/bin/openssl ]; then
mv /usr/bin/openssl /usr/bin/openssl.old
fi
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
# 验证OpenSSL版本
echo "OpenSSL版本信息:"
openssl version
fi
# 检查是否已安装目标版本的OpenSSH
if ssh -V 2>&1 | grep -q "9.9p2"; then
echo "OpenSSH 9.9p2 已经安装,跳过OpenSSH升级"
else
echo "安装OpenSSH..."
cd /usr/local/src
tar -zxf openssh-9.9p2.tar.gz
cd openssh-9.9p2
./configure \
--prefix=/usr/local/openssh-9.9p2 \
--sysconfdir=/etc/ssh \
--with-ssl-dir=/usr/local/openssl \
--with-zlib \
--with-pam \
--with-md5-passwords \
--with-tcp-wrappers
make && make install
# 配置OpenSSH
if [ -f /usr/sbin/sshd ]; then
mv /usr/sbin/sshd /usr/sbin/sshd.old
fi
ln -sf /usr/local/openssh-9.9p2/sbin/sshd /usr/sbin/sshd
if [ -f /usr/bin/ssh ]; then
mv /usr/bin/ssh /usr/bin/ssh.old
fi
ln -sf /usr/local/openssh-9.9p2/bin/ssh /usr/bin/ssh
fi
# 修复密钥权限
echo "修复密钥权限..."
chmod 600 /etc/ssh/ssh_host_*_key
ssh-keygen -A
# 更新PAM配置
echo "更新PAM配置..."
sed -i 's@/usr/sbin/sshd@/usr/local/openssh-9.9p2/sbin/sshd@g' /etc/pam.d/sshd
# 创建systemd服务文件
echo "创建systemd服务文件..."
cat > /usr/lib/systemd/system/sshd.service << 'EOF'
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target
[Service]
Type=exec
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/local/openssh-9.9p2/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=3s
[Install]
WantedBy=multi-user.target
EOF
# 备份并创建新的SSH配置
if [ ! -f /etc/ssh/sshd_config.bak ]; then
echo "备份SSH配置..."
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
fi
echo "创建新的SSH配置..."
cat > /etc/ssh/sshd_config << 'EOF'
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
X11Forwarding yes
PrintMotd no
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
EOF
# 重载系统配置并重启服务
echo "重载系统配置并重启服务..."
systemctl daemon-reload
systemctl restart sshd
# 验证安装结果
echo "OpenSSH版本信息:"
ssh -V
echo "OpenSSL版本信息:"
openssl version
# 标记脚本已完成
date > /root/.ssh_upgrade_completed
echo "升级完成,请验证SSH连接是否正常"
# 提示如何重新执行脚本
echo "如需重新执行脚本,请删除标记文件: rm -f /root/.ssh_upgrade_completed /root/.ssh_upgrade_started"