Shulou(Shulou.com)06/01 Report--

Redhat linux6.5 how to upgrade openssh to 7.5p1, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

For the security reinforcement of linux system, the openssh service will generally be upgraded to the latest version to enhance the security of remote connections.

The official website released the following openssh versions of openssh 7.4.There are serious vulnerabilities, such as:

1.OpenSSH remote privilege escalation vulnerability (CVE-2016-10010)

2.OpenSSH J-PAKE Authorization problem vulnerability (CVE-2010-4478)

3.Openssh MaxAuthTries restriction Bypass vulnerability (CVE-2015-5600)

OpenSSL > = 1.0.1 you don't need to upgrade OpenSSL, you can upgrade openssh directly.

Upgrade needs to know:

Check the official website openssh for the latest version information and its requirements for the system kernel and other dependent components.

Then back up the existing openssh information in the system in case the upgrade fails. Then according to the instructions, priority is given to the upgrade of its dependent components.

Finally, openssh is upgraded and verified.

The latest version of openssh is OpenSSH 8.0 released on April 17, 2019.

First, open two or more shell connections, because if the upgrade fails during the upgrade process, you will not be able to create a new shell connection, or open a telnet service.

Make a note of the sshd.pid path before installation, because it will be changed in the startup file sshd.

Download the openssl-1.0.2l.tar.gz and openssh-7.5p1.tar.gz packages and transfer the installation packages to the server

Uninstall the existing version openssh:rpm-e'rpm-qa | grep openssh'

Delete all files under / etc/ssh/. Files under this path will not be deleted after uninstalling openssh. You need to delete them manually.

Second, specific steps:

1. Install the dependency package yum-y install gcc libcap libcap-devel glibc-devel

2. Upgrade openssl

Tar zxvf / tmp/openssl-1.0.2l.tar.gz-C / tmp

Cd / tmp/openssl-1.0.2l

. / config-- prefix=/usr-shared

Note: (be sure to add the-- shared option, otherwise openssh will not find the library of the newly installed openssl when compiling, and will report an error: the header and library versions of openssl do not match. )

Make

Make install

3. Upgrade openssh

Tar zxf / tmp/openssh-7.5p1.tar.gz-C / tmp

Cd / tmp/openssh-7.5p1

. / configure-prefix=/usr-sysconfdir=/etc/ssh-with-pam-with-zlib-with-md5-passwords

Make

Make install

Echo "PermitRootLogin no" > > / etc/ssh/sshd_config

Service sshd restart

4. Verification

[root@localhost] # ssh-V

OpenSSH_7.5p1, OpenSSL 1.0.2l 29 May 2019

Note:

In addition, the installation directory is / usr/, because there is a path to SSHD in the startup file, which defaults to the path to the redhat startup file

Can be modified in the configuration file / etc/ssh/sshd_config

III. Reinforcement

Modify hosts.all and hosts.deny

Take the 192.168.220.1 network segment allowed by ssh and 192.168.220 network segment allowed by telnet as examples. The content added in / etc/hosts.allow is as follows:

Edit / etc/hosts.deny file

Restart the ssh service and telnet service after saving the file from the editor (optional)

Note:

1. When an IP access request is connected, the policy of linux is to check whether it is allowed in / etc/hosts.allow, if it is allowed to be released directly; if not, whether it is prohibited in / etc/hosts.deny, and if it is prohibited, then the connection is prohibited.

two。 The configuration of / etc/hosts.allow and / etc/hosts.deny takes effect immediately without a restart, but it will not be affected regardless of whether the current session is restarted or not; that is, for those previously connected, the IP will not be forced to disconnect even if it has been configured to prohibit login sessions. However, I do not know whether all linux are the same, so the fourth step is marked as optional.

3. On the Internet, I found that some tutorials are written not sshd but in.sshd, not in.telnetd but telnetd. Personally, I think it should be started independently without adding in. The need for hosting in xinetd plus in.

IV. Other

1. If an unexpected interruption occurs during the upgrade, you can turn on telnet for backup.

Enable

Sed-I "s/yes/no/g" / etc/xinetd.d/telnet

Service xinetd restart

Mv / etc/securetty / etc/securettyBAK

Deactivate

Sed-I "s/no/yes/g" / etc/xinetd.d/telnet

Service xinetd stop

Mv / etc/securettyBAK / etc/securetty

2. Hardening of ssh configuration after upgrade

Echo "PermitRootLogin no" > > / etc/ssh/sshd_config

Find the section # Port 22. Here is the identification that port 22 is used by default and can be modified to other ports.

Echo "Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc" > > / etc/ssh/sshd_config

Service sshd restart

3. If you cannot log in to the system by entering the password after the upgrade is successful

Cause analysis:

1. The configuration file has not been modified, and the default configuration of openssh7.5 does not allow you to log in to the system using root.

2. Pam configuration file is incorrect or missing

3. Pam option is not enabled in the configuration file: UsePAM

After reading the above, have you mastered how redhat linux6.5 upgrades openssh to 7.5p1? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.