由于管理着两百多台Linux服务器,一个人搞这么多机器的安全加固比较累,因此在学习了shell脚本之后果断的写了一些常用脚本做一些系统日常维护,本文OPENSSH的升级是博主本人几乎每两三个月就要做一次升级的,没办法绿盟安全扫描系统总是扫描到相关的高危漏洞,再就是OPENSSH版本更新的也比较频繁,因此不偷懒几乎没法活了。废话不说了,在这里贴下脚本,已经在线上服务器上执行了上百次了,应该不会有什么问题。
#!/bin/bash ################################################################# ###### update openssl openssh scirpt ######### ##### Author:kl ##### ###### Date:2014/07/13 ##### ###### LastModified:2016/06/02 ####### #### Warning:start telnet service before use the script ##### ################################################################# #################################################################################### # update openssh and openssl ######### ##### ## #################################################################################### #Determine whether the current system installed gcc compiler tools zlib_version="zlib-1.2.8" openssl_version="openssl-1.0.2g" openssh_version="openssh-7.2p2" gcc_path=`which gcc` #gcc_name=`basename $gcc_path` DATE=$(date +%Y%m%d) # OS TYPE #Distributor_ID=$(lsb_release -i) Distributor=`lsb_release -i|cut -c 17-` # Determine whether the root user userid=`id -u` if [ "$userid" -ne 0 ]; then echo "sorry,only root can execute the script. " exit fi # SET SELINUX=disabled if [ "$Distributor" != "SUSE LINUX" ]; then sed -i ‘/SELINUX/s/enforcing/disabled/‘ /etc/selinux/config setenforce 0 fi # pam-devel,tcp_wrappers-devel need be installed, Otherwise, the software will install failure # Support for tcpwrappers/libwrap has been removed in openssh6.7 if ! rpm -qa|grep pam-devel &>/dev/null; then echo "pam-devel is not installed" && exit fi #if ! rpm -qa|grep tcp_wrappers-devel &>/dev/null; then # echo "tcp_wrappers-devel not installed" && exit #fi # Check whether to open the telnet service netstat -tnlp | grep -w 23 RETVAL3=$? if [ $RETVAL3 -eq 0 ]; then echo "telnet service is running------------[yes]" else echo "telnet service is not running--------[no]" exit fi # Determine whether to install gcc package if [ -e "$gcc_path" ]; then echo "gcc is installed----------------[yes]" else echo "gcc is not installed------------[no]" exit fi # stop sshd service netstat -tnlp | grep -w 22 RETVAL4=$? if [ $RETVAL4 -eq 0 ]; then service sshd stop echo "stop sshd service --------------[yes]" fi if [ -e /etc/init.d/sshd ]; then cp /etc/init.d/sshd /root fi # remove openssh*.rpm if exists if rpm -qa | grep openssh &> /dev/null; then rpm -qa | grep openssh > openssh_list.txt while read line do rpm -e $line --nodeps echo "remove $line success------------[yes]" done < openssh_list.txt fi ###########install zlib ################## tar -zxvf "${zlib_version}.tar.gz" > /dev/null cd $zlib_version ./configure RETVAL5=$? if [ $RETVAL5 -ne 0 ]; then echo "Configure zlib has encountered an error" exit fi make RETVAL6=$? if [ $RETVAL6 -ne 0 ]; then echo "make zlib has encountered an error" exit fi make install cd .. echo "#########################################################" echo "################ #################" echo "################ zlib install success #################" echo "################ #################" echo "#########################################################" sleep 2 ########## install openssl ############# tar -zxvf "${openssl_version}.tar.gz" > /dev/null cd $openssl_version ./config shared zlib RETVAL7=$? if [ $RETVAL7 -ne 0 ]; then echo "Configure openssl has encountered an error" exit fi make RETVAL8=$? if [ $RETVAL8 -ne 0 ]; then echo "make openssl has encountered an error" exit fi make install if [ -e /usr/bin/openssl ]; then mv /usr/bin/openssl /usr/bin/openssl.OFF && ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl else ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl fi if [ -e /usr/include/openssl ]; then mv /usr/include/openssl /usr/include/openssl.OFF && ln -s /usr/local/ssl/include/openssl /usr/include/openssl else ln -s /usr/local/ssl/include/openssl /usr/include/openssl fi ## Add "/usr/local/ssl/lib" to /etc/ld.so.conf ssl_lib=`grep -w "/usr/local/ssl/lib" /etc/ld.so.conf` if [ ! -e "$ssl_lib" ]; then echo "/usr/local/ssl/lib" >> /etc/ld.so.conf fi ldconfig -v cd .. echo "#########################################################" echo "################ #################" echo "################ openssl install sucess ################" echo "################ #################" echo "#########################################################" sleep 2 ############# install openssh ############## if [ -e /etc/ssh ]; then mv /etc/ssh /etc/ssh_$DATE fi tar -zxvf "${openssh_version}.tar.gz" > /dev/null cd $openssh_version ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-pam --with-ssl-dir=/usr/local/ssl --with-md5-passwords RETVAL9=$? if [ $RETVAL9 -ne 0 ]; then echo "Configure openssh has encountered an error" exit fi make RETVAL10=$? if [ $RETVAL10 -ne 0 -a $RETVAL10 -ne 0 ]; then echo "make openssh has encountered an error" exit fi make install if [ "$Distributor" == "SUSE LINUX" ]; then cd contrib/suse cp rc.sshd /etc/init.d/sshd chmod +x /etc/init.d/sshd chkconfig --add sshd else cd contrib/redhat cp sshd.init /etc/init.d/sshd chmod +x /etc/init.d/sshd chkconfig --add sshd fi #A generic PAM configuration is included as "contrib/sshd.pam.generic", #you may need to edit it before using it on your system. cd .. cp sshd.pam.generic /etc/pam.d/sshd sed -i ‘s/\/lib\/security\///g‘ /etc/pam.d/sshd # Modify /etc/ssh/sshd_config # Backup /etc/ssh/sshd_config cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak # The default set of ciphers and MACs has been altered to # remove unsafe algorithms. In particular, CBC ciphers and arcfour* # are disabled by default. # Changes since OpenSSH 6.6 echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org" >> /etc/ssh/sshd_config echo "Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc" >> /etc/ssh/sshd_config echo "MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96" >> /etc/ssh/sshd_config # Disable root access via ssh to server #* The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password". #* PermitRootLogin=without-password/prohibit-password now bans all #interactive authentication methods, allowing only public-key, #hostbased and GSSAPI authentication (previously it permitted #keyboard-interactive and password-less authentication if those #were enabled). #PermitRootLogin prohibit-password is the default since version 7.0p1 sed -i ‘s/^#PermitRootLogin/PermitRootLogin/‘ /etc/ssh/sshd_config #sed -i ‘/PermitRootLogin/s/yes/no/‘ /etc/ssh/sshd_config sed -i ‘/PermitRootLogin/s/prohibit-password/no/‘ /etc/ssh/sshd_config # Set ‘UsePAM no‘ to ‘UsePAM yes‘ to enable PAM authentication, account processing, # and session processing sed -i ‘/^#UsePAM no/a UsePAM yes‘ /etc/ssh/sshd_config # Start sshd process service sshd start # Disable telnet service if netstat -tnlp | grep -w 22 &> /dev/null; then sed -i ‘/disable/s/no/yes/‘ /etc/xinetd.d/telnet service xinetd restart fi echo "#########################################################" echo "################ #################" echo "################ openssh install sucess ################" echo "################ #################" echo "#########################################################" echo "############### ssh version ################################################# " echo "################################################################################### " sshd -v echo "#################################################################################### " echo "#################################################################################### "
本文出自 “明镜亦非台” 博客,请务必保留此出处http://kk876435928.blog.51cto.com/3530246/1813925
原文地址:http://kk876435928.blog.51cto.com/3530246/1813925