系统加固列表文档
1、 openssl
当前版本:OpenSSL 1.0.2k-fips
升级后的版本:OpenSSL-1.1.1
2、 openssh
当前版本:OpenSSH_7.4p1, OpenSSL 1.0.2k-fips
升级后的版本:OpenSSH_8.4p1, OpenSSL 1.1.1h
下载路径: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
虚拟机环境测试可用:
]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-deve
]# yum install -y pam* zlib*
安装 openssl
备份原来的openssl
]# mv /usr/bin/openssl /usr/bin/openssl_bak
]# mv /usr/include/openssl /usr/include/openssl_bak
]# tar -xzf openssl-1.1.1h.tar.gz && cd openssl-1.1.1h && ./config --prefix=/usr/local/openssl --shared && make && make install
]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
]# `echo "/usr/local/openssl/lib" >>/etc/ld.so.conf`
]# ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
]# ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
]# ldconfig
]# openssl version
OpenSSL 1.1.1h 22 Sep 2020
安装openssh
]# 安装openssh前 将openssl 安装到/usr/local/openssl
备份原来的 ssh配置
]# cd /etc/ssh && mkdir –p /root/sshbak && mv ./* /root/sshbak
]# cd /data/openssh-8.4p1
]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam
]# make && make install
]# mv /usr/bin/ssh /usr/bin/ssh-bak20201108
]# ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
]# chmod +x /etc/init.d/sshd
]# chkconfig --add sshd && systemctl enable sshd
]# mv /usr/lib/systemd/system/sshd.service /data/
]# chkconfig sshd on
]#ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020
网友评论