CVE-2023-38408修复,Centos 一键联网更新OpenSSH_9.4p1,OpenSSL 1.1.1s (附脚本)

项目一直被扫漏洞，openssh的一大堆，甚至包括了最新的CVE-2023-38408，只能把openssh升级到9.4版本。github找到个开源的脚本是旧的，稍微修改了一下。

升级脚本

#!/bin/bash
clear
export LANG="en_US.UTF-8"

#update.fix.2023-09-05
#脚本变量
DATE=`date "+%Y%m%d"`
PREFIX="/usr/local"
PERL_VERSION="5.37.5"
OPENSSL_VERSION="openssl-1.1.1s"
OPENSSH_VERSION="openssh-9.4p1"
DROPBEAR_VERSION="dropbear-2022.83"
PERL_DOWNLOAD="https://www.cpan.org/src/5.0/perl-$PERL_VERSION.tar.gz"
OPENSSL_DOWNLOAD="https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz"
#https://mirrors.aliyun.com/openssh/portable/openssh-9.1p1.tar.gz
#OPENSSH_DOWNLOAD="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/$OPENSSH_VERSION.tar.gz"
OPENSSH_DOWNLOAD="https://mirrors.aliyun.com/openssh/portable/$OPENSSH_VERSION.tar.gz"
DROPBEAR_DOWNLOAD="https://matt.ucc.asn.au/dropbear/releases/$DROPBEAR_VERSION.tar.bz2"
DROPBEAR_PORT="6666"
OPENSSH_RPM_INSTALLED=$(rpm -qa | grep ^openssh | wc -l)
SYSTEM_VERSION=$(cat /etc/redhat-release | sed -r 's/.* ([0-9]+)\..*/\1/')

#检查用户
if [ $(id -u) != 0 ]; then
echo -e "必须使用Root用户运行脚本" "\033[31m Failure\033[0m"
echo ""
exit
fi

#检查系统
if [ ! -e /etc/redhat-release ] || [ "$SYSTEM_VERSION" == "3" ] || [ "$SYSTEM_VERSION" == "4" ];then
clear
echo -e "脚本仅适用于RHEL和CentOS操作系统5.x-8.x版本" "\033[31m Failure\033[0m"
echo ""
exit
fi

#使用说明
echo -e "\033[33m一键升级OpenSSH\033[0m"
echo ""
echo "脚本仅适用于RHEL和CentOS操作系统5.X-8.X版本"
echo "建议先临时安装DropbearSSH，再开始升级OpenSSH"
echo "旧版本OpenSSH备份在/tmp/openssh_bak_$DATE"
echo ""

#安装Dropbear
function INSTALL_DROPBEAR() {
echo -e "\033[33m正在安装DropBearSSH\033[0m"
echo ""

#安装依赖包
yum -y install gcc bzip2 wget make > /dev/null 2>&1
if [ $? -eq 0 ];then
echo -e "安装依赖包成功" "\033[32m Success\033[0m"
else
echo -e "安装依赖包失败" "\033[31m Failure\033[0m"
echo ""
exit
fi
echo ""

#解压源码包
cd /tmp
wget --no-check-certificate $DROPBEAR_DOWNLOAD > /dev/null 2>&1
tar xjf $DROPBEAR_VERSION.tar.bz2 > /dev/null 2>&1
if [ -d /tmp/$DROPBEAR_VERSION ];then
echo -e "解压源码包成功" "\033[32m Success\033[0m"
else
echo -e "解压源码包失败" "\033[31m Failure\033[0m"
echo ""
exit
fi
echo ""

#安装Dropbear
cd /tmp/$DROPBEAR_VERSION
./configure --disable-zlib > /dev/null 2>&1
if [ $? -eq 0 ];then
make > /dev/null 2>&1
make install > /dev/null 2>&1
else
echo -e "编译安装失败" "\033[31m Failure\033[0m"
echo ""
exit
fi

#启动Dropbear
mkdir /etc/dropbear > /dev/null 2>&1
/usr/local/bin/dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
/usr/local/sbin/dropbear -p $DROPBEAR_PORT > /dev/null 2>&1
ps aux | grep dropbear | grep -v grep > /dev/null 2>&1
if [ $? -eq 0 ];then
rm -rf /tmp/$DROPBEAR_VERSION*
echo -e "启动服务端成功" "\033[32m Success\033[0m"
else
echo -e "启动服务端失败" "\033[31m Failure\033[0m"
exit
fi
echo ""
}

#卸载Dropbear
function UNINSTALL_DROPBEAR() {
echo -e "\033[33m正在卸载DropBearSSH\033[0m"
echo ""
ps aux | grep dropbear | grep -v grep | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
rm -rf /etc/dropbear
rm -f /var/run/dropbear.pid
rm -f /usr/local/sbin/dropbear
rm -f /usr/local/bin/dropbearkey
rm -f /usr/local/bin/dropbearconvert
rm -f /usr/local/share/man/man8/dropbear*
rm -f /usr/local/share/man/man1/dropbear*
ps aux | grep dropbear | grep -v grep > /dev/null 2>&1
if [ $? -ne 0 ];then
echo -e "卸载服务端成功" "\033[32m Success\033[0m"
else
echo -e "卸载服务端失败" "\033[31m Failure\033[0m"
exit
fi
echo ""
}

#升级OpenSSH
function INSTALL_OPENSSH() {
echo -e "\033[33m正在升级OpenSSH\033[0m"
echo ""

#安装依赖包
yum -y install gcc wget make perl-devel pam-devel zlib-devel > /dev/null 2>&1
if [ $? -eq 0 ];then
echo -e "安装依赖包成功" "\033[32m Success\033[0m"
else
echo -e "安装依赖包失败" "\033[31m Failure\033[0m"
echo ""
exit
fi
echo ""

#解压源码包
cd /tmp
wget --no-check-certificate $OPENSSL_DOWNLOAD > /dev/null 2>&1
wget --no-check-certificate $OPENSSH_DOWNLOAD > /dev/null 2>&1
tar xzf $OPENSSL_VERSION.tar.gz > /dev/null 2>&1
tar xzf $OPENSSH_VERSION.tar.gz > /dev/null 2>&1
if [ -d /tmp/$OPENSSL_VERSION ] && [ -d /tmp/$OPENSSH_VERSION ];then
echo -e "解压源码包成功" "\033[32m Success\033[0m"
else
echo -e "解压源码包失败" "\033[31m Failure\033[0m"
echo ""
exit
fi
echo ""

#创建备份目录
mkdir -p /tmp/openssh_bak_$DATE/etc/{init.d,pam.d,ssh}
mkdir -p /tmp/openssh_bak_$DATE/usr/{bin,sbin,libexec}
mkdir /tmp/openssh_bak_$DATE/usr/libexec/openssh

#备份旧程序
cp -af /etc/ssh/* /tmp/openssh_bak_$DATE/etc/ssh/ > /dev/null 2>&1
cp -af /etc/init.d/sshd /tmp/openssh_bak_$DATE/etc/init.d/ > /dev/null 2>&1
cp -af /etc/pam.d/sshd /tmp/openssh_bak_$DATE/etc/pam.d/ > /dev/null 2>&1
cp -af /usr/bin/scp /tmp/openssh_bak_$DATE/usr/bin/ > /dev/null 2>&1
cp -af /usr/bin/sftp /tmp/openssh_bak_$DATE/usr/bin/ > /dev/null 2>&1
cp -af /usr/bin/ssh* /tmp/openssh_bak_$DATE/usr/bin/ > /dev/null 2>&1
cp -af /usr/bin/slogin /tmp/openssh_bak_$DATE/usr/bin/ > /dev/null 2>&1
cp -af /usr/sbin/sshd* /tmp/openssh_bak_$DATE/usr/sbin/ > /dev/null 2>&1
cp -af /usr/libexec/ssh* /tmp/openssh_bak_$DATE/usr/libexec/ > /dev/null 2>&1
cp -af /usr/libexec/sftp* /tmp/openssh_bak_$DATE/usr/libexec/ > /dev/null 2>&1
cp -af /usr/libexec/openssh/* /tmp/openssh_bak_$DATE/usr/libexec/openssh/ > /dev/null 2>&1

#卸载旧程序
if [ "$OPENSSH_RPM_INSTALLED" == "0" ];then
rm -f /etc/ssh/*
rm -f /etc/init.d/sshd
rm -f /etc/pam.d/sshd
rm -f /usr/bin/scp
rm -f /usr/bin/sftp
rm -f /usr/bin/ssh
rm -f /usr/bin/slogin
rm -f /usr/bin/ssh-add
rm -f /usr/bin/ssh-agent
rm -f /usr/bin/ssh-keygen
rm -f /usr/bin/ssh-copy-id
rm -f /usr/bin/ssh-keyscan
rm -f /usr/sbin/sshd
rm -f /usr/sbin/sshd-keygen
rm -f /usr/libexec/openssh/*
rm -f /usr/libexec/sftp-server
rm -f /usr/libexec/ssh-keysign
rm -f /usr/libexec/ssh-sk-helper
rm -f /usr/libexec/ssh-pkcs11-helper
else
rpm -e --nodeps `rpm -qa | grep ^openssh` > /dev/null 2>&1
rm -f /etc/ssh/*
fi

#升级Perl
if [ "$SYSTEM_VERSION" == "5" ];then
cd /tmp
wget --no-check-certificate $PERL_DOWNLOAD > /dev/null 2>&1
tar xzf perl-$PERL_VERSION.tar.gz > /dev/null 2>&1
cd perl-$PERL_VERSION
./Configure -des -Dprefix=/usr/local/perl-$PERL_VERSION > /dev/null 2>&1
make > /dev/null 2>&1
make install > /dev/null 2>&1
mv /usr/bin/perl /tmp/openssh_bak_$DATE/usr/bin/ > /dev/null 2>&1
ln -sf /usr/local/perl-$PERL_VERSION/bin/perl /usr/bin/perl > /dev/null 2>&1
fi

#安装OpenSSL
cd /tmp/$OPENSSL_VERSION
./config --prefix=$PREFIX/$OPENSSL_VERSION --openssldir=$PREFIX/$OPENSSL_VERSION/ssl -fPIC > /dev/null 2>&1
if [ $? -eq 0 ];then
make > /dev/null 2>&1
make install > /dev/null 2>&1
echo "$PREFIX/$OPENSSL_VERSION/lib" >> /etc/ld.so.conf
ldconfig > /dev/null 2>&1
else
echo -e "编译安装OpenSSL失败" "\033[31m Failure\033[0m"
echo ""
exit
fi

#安装OpenSSH
cd /tmp/$OPENSSH_VERSION
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=$PREFIX/$OPENSSL_VERSION --with-zlib --with-pam --with-md5-passwords > /dev/null 2>&1
if [ $? -eq 0 ];then
make > /dev/null 2>&1
make install > /dev/null 2>&1
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config > /dev/null 2>&1
cp -af /tmp/$OPENSSH_VERSION/contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chmod 600 /etc/ssh/*
chkconfig --add sshd
chkconfig sshd on
else
echo -e "编译安装OpenSSH失败" "\033[31m Failure\033[0m"
echo ""
exit
fi

#启动OpenSSH
service sshd start > /dev/null 2>&1
if [ $? -eq 0 ];then
echo -e "启动服务端成功" "\033[32m Success\033[0m"
echo ""
ssh -V
else
echo -e "启动服务端失败" "\033[31m Failure\033[0m"
exit
fi
echo ""

#删除源码包
rm -rf /tmp/$OPENSSL_VERSION*
rm -rf /tmp/$OPENSSH_VERSION*
rm -rf /tmp/perl-$PERL_VERSION*
}

#脚本菜单
echo -e "\033[36m1: 安装DropBearSSH\033[0m"
echo ""
echo -e "\033[36m2: 卸载DropBearSSH\033[0m"
echo ""
echo -e "\033[36m3: 升级OpenSSH\033[0m"
echo ""
echo -e "\033[36m4: 退出脚本\033[0m"
echo ""
read -p  "请输入对应数字后按回车开始执行脚本: " SELECT
if [ "$SELECT" == "1" ];then
clear
INSTALL_DROPBEAR
fi
if [ "$SELECT" == "2" ];then
clear
UNINSTALL_DROPBEAR
fi
if [ "$SELECT" == "3" ];then
clear
INSTALL_OPENSSH
fi
if [ "$SELECT" == "4" ];then
echo ""
exit
fi

调用命令

bash <(curl -sSL https://hyluz.cn/update-openssl-openssh.sh)

可以先装dropbear ssh，服务监听6666端口，防止升级失败后连接不上服务器

运行截图