????由于管理着两百多台Linux服务器,一个人搞这么多机器的安全加固比较累,因此在学习了shell脚本之后果断的写了一些常用脚本做一些系统日常维护,本文OPENSSH的升级是博主本人几乎每两三个月就要做一次升级的,没办法绿盟安全扫描系统总是扫描到相关的高危漏洞,再就是OPENSSH版本更新的也比较频繁,因此不偷懒几乎没法活了。废话不说了,在这里贴下脚本,已经在线上服务器上执行了上百次了,应该不会有什么问题。
#!/bin/bash ################################################################# ######????update?openssl?openssh?scirpt?????????????????######### #####?????????????Author:kl?????????????????????????????????##### ######???????????Date:2014/07/13????????????????????????????##### ######????????LastModified:2016/06/02?????????????????????####### ####??Warning:start?telnet?service?before?use?the?script????##### ################################################################# #################################################################################### # update?openssh?and?openssl ######### ??##### ????## #################################################################################### #Determine?whether?the?current?system?installed?gcc?compiler?tools zlib_version="zlib-1.2.8" openssl_version="openssl-1.0.2g" openssh_version="openssh-7.2p2" gcc_path=`which?gcc` #gcc_name=`basename?$gcc_path` DATE=$(date?+%Y%m%d) #?OS?TYPE #Distributor_ID=$(lsb_release?-i) Distributor=`lsb_release?-i|cut?-c?17-` #?Determine?whether?the?root?user userid=`id?-u` if?[?"$userid"?-ne?0?];?then echo?"sorry,only?root?can?execute?the?script.?" exit fi #?SET?SELINUX=disabled if?[?"$Distributor"?!=?"SUSE?LINUX"?];?then sed?-i?'/SELINUX/s/enforcing/disabled/'?/etc/selinux/config setenforce?0 fi #?pam-devel,tcp_wrappers-devel?need?be?installed,?Otherwise,?the?software?will?install?failure #?Support?for?tcpwrappers/libwrap?has?been?removed?in?openssh6.7? if?!?rpm?-qa|grep?pam-devel?&>/dev/null;?then echo?"pam-devel?is?not?installed"?&&?exit fi #if?!?rpm?-qa|grep?tcp_wrappers-devel?&>/dev/null;?then # echo?"tcp_wrappers-devel?not?installed"?&&?exit #fi #??Check?whether?to?open?the?telnet?service netstat?-tnlp?|?grep?-w?23 RETVAL3=$? if?[?$RETVAL3?-eq?0?];?then echo?"telnet?service?is?running------------[yes]" else echo?"telnet?service?is?not?running--------[no]" exit fi #?Determine?whether?to?install?gcc?package if?[?-e?"$gcc_path"?];?then echo?"gcc?is?installed----------------[yes]" else echo?"gcc?is?not?installed------------[no]" exit? fi #?stop?sshd?service? netstat?-tnlp?|?grep?-w?22 RETVAL4=$? if?[?$RETVAL4?-eq?0?];?then service?sshd?stop echo?"stop?sshd?service?--------------[yes]" fi if?[?-e?/etc/init.d/sshd?];?then cp?/etc/init.d/sshd?/root fi #?remove?openssh*.rpm?if?exists if?rpm?-qa?|?grep?openssh?&>?/dev/null; then rpm?-qa?|?grep?openssh?>?openssh_list.txt while?read?line do rpm?-e?$line?--nodeps echo?"remove?$line?success------------[yes]" done?<?openssh_list.txt fi ###########install?zlib?################## tar?-zxvf?"${zlib_version}.tar.gz"?>?/dev/null cd?$zlib_version ./configure RETVAL5=$? if?[?$RETVAL5?-ne?0?];?then echo?"Configure?zlib?has?encountered?an?error" exit fi make RETVAL6=$? if?[?$RETVAL6?-ne?0?];?then echo?"make?zlib?has?encountered?an?error" exit fi make?install cd?.. echo?"#########################################################" echo?"################????????????????????????#################" echo?"################??zlib?install?success???#################" echo?"################????????????????????????#################" echo?"#########################################################" sleep?2 ##########?install?openssl?############# tar?-zxvf?"${openssl_version}.tar.gz"?>?/dev/null cd?$openssl_version ./config?shared?zlib RETVAL7=$? if?[?$RETVAL7?-ne?0?];?then echo?"Configure?openssl?has?encountered?an?error" exit fi make RETVAL8=$? if?[?$RETVAL8?-ne?0?];?then echo?"make?openssl?has?encountered?an?error" exit fi make?install? if?[?-e?/usr/bin/openssl?];?then mv?/usr/bin/openssl?/usr/bin/openssl.OFF?&&?ln?-s?/usr/local/ssl/bin/openssl?/usr/bin/openssl else ln?-s?/usr/local/ssl/bin/openssl?/usr/bin/openssl fi if?[?-e?/usr/include/openssl?];?then mv?/usr/include/openssl?/usr/include/openssl.OFF?&&?ln?-s?/usr/local/ssl/include/openssl?/usr/include/openssl else ln?-s?/usr/local/ssl/include/openssl?/usr/include/openssl fi ##?Add?"/usr/local/ssl/lib"?to?/etc/ld.so.conf? ssl_lib=`grep?-w?"/usr/local/ssl/lib"?/etc/ld.so.conf`? if?[?!?-e?"$ssl_lib"?];?then echo?"/usr/local/ssl/lib"?>>?/etc/ld.so.conf fi ldconfig?-v cd?.. echo?"#########################################################" echo?"################????????????????????????#################" echo?"################?openssl?install?sucess??################" echo?"################????????????????????????#################" echo?"#########################################################" sleep?2 #############?install?openssh?############## if?[?-e?/etc/ssh?];?then mv?/etc/ssh?/etc/ssh_$DATE fi tar?-zxvf?"${openssh_version}.tar.gz"?>?/dev/null cd?$openssh_version ./configure?--prefix=/usr?--sysconfdir=/etc/ssh?--with-zlib?--with-pam?--with-ssl-dir=/usr/local/ssl?--with-md5-passwords RETVAL9=$? if?[?$RETVAL9?-ne?0?];?then echo?"Configure?openssh?has?encountered?an?error" exit fi make RETVAL10=$? if?[?$RETVAL10?-ne?0?-a?$RETVAL10?-ne?0?];?then ????????echo?"make?openssh?has?encountered?an?error" ????????exit fi make?install if?[?"$Distributor"?==?"SUSE?LINUX"?];?then cd?contrib/suse cp?rc.sshd?/etc/init.d/sshd chmod?+x?/etc/init.d/sshd chkconfig?--add?sshd else cd?contrib/redhat? cp?sshd.init?/etc/init.d/sshd chmod?+x?/etc/init.d/sshd chkconfig?--add?sshd fi #A?generic?PAM?configuration?is?included?as?"contrib/sshd.pam.generic", #you?may?need?to?edit?it?before?using?it?on?your?system. cd?.. cp?sshd.pam.generic?/etc/pam.d/sshd sed?-i?'s//lib/security///g'?/etc/pam.d/sshd #?Modify?/etc/ssh/sshd_config #?Backup?/etc/ssh/sshd_config cp?-p?/etc/ssh/sshd_config?/etc/ssh/sshd_config_bak #?The?default?set?of?ciphers?and?MACs?has?been?altered?to #?remove?unsafe?algorithms.?In?particular,?CBC?ciphers?and?arcfour* #?are?disabled?by?default.? #?Changes?since?OpenSSH?6.6 echo?"KexAlgorithms?diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org"?>>?/etc/ssh/sshd_config echo?"Ciphers?aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc"?>>?/etc/ssh/sshd_config echo?"MACs?hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96"?>>?/etc/ssh/sshd_config #?Disable?root?access?via?ssh?to?server #*?The?default?for?the?sshd_config(5)?PermitRootLogin?option?has?changed?from?"yes"?to?"prohibit-password". #*?PermitRootLogin=without-password/prohibit-password?now?bans?all #interactive?authentication?methods,?allowing?only?public-key, #hostbased?and?GSSAPI?authentication?(previously?it?permitted #keyboard-interactive?and?password-less?authentication?if?those #were?enabled). #PermitRootLogin?prohibit-password?is?the?default?since?version?7.0p1 sed?-i?'s/^#PermitRootLogin/PermitRootLogin/'?/etc/ssh/sshd_config #sed?-i?'/PermitRootLogin/s/yes/no/'?/etc/ssh/sshd_config sed?-i?'/PermitRootLogin/s/prohibit-password/no/'?/etc/ssh/sshd_config #?Set?'UsePAM?no'?to?'UsePAM?yes'?to?enable?PAM?authentication,?account?processing,? #?and?session?processing sed?-i?'/^#UsePAM?no/a?UsePAM?yes'?/etc/ssh/sshd_config #?Start?sshd?process service?sshd?start #?Disable?telnet?service if?netstat?-tnlp?|?grep?-w?22?&>?/dev/null;?then sed?-i?'/disable/s/no/yes/'?/etc/xinetd.d/telnet service?xinetd?restart fi echo?"#########################################################" echo?"################????????????????????????#################" echo?"################?openssh?install?sucess??################" echo?"################????????????????????????#################" echo?"#########################################################" echo?"###############???ssh?version?????#################################################?" echo?"###################################################################################?" sshd?-v echo?"####################################################################################?" echo?"####################################################################################?"