小贱人有你好看的那天
????由于管理着两百多台Linux服务器,一个人搞这么多机器的安全加固比较累,因此在学习了shell脚本之后果断的写了一些常用脚本做一些系统日常维护,本文OPENSSH的升级是博主本人几乎每两三个月就要做一次升级的,没办法绿盟安全扫描系统总是扫描到相关的高危漏洞,再就是OPENSSH版本更新的也比较频繁,因此不偷懒几乎没法活了。废话不说了,在这里贴下脚本,已经在线上服务器上执行了上百次了,应该不会有什么问题。
#!/bin/bash
#################################################################
######????update?openssl?openssh?scirpt?????????????????#########
#####?????????????Author:kl?????????????????????????????????#####
######???????????Date:2014/07/13????????????????????????????#####
######????????LastModified:2016/06/02?????????????????????#######
####??Warning:start?telnet?service?before?use?the?script????#####
#################################################################
####################################################################################
# update?openssh?and?openssl
#########
??#####
????##
####################################################################################
#Determine?whether?the?current?system?installed?gcc?compiler?tools
zlib_version="zlib-1.2.8"
openssl_version="openssl-1.0.2g"
openssh_version="openssh-7.2p2"
gcc_path=`which?gcc`
#gcc_name=`basename?$gcc_path`
DATE=$(date?+%Y%m%d)
#?OS?TYPE
#Distributor_ID=$(lsb_release?-i)
Distributor=`lsb_release?-i|cut?-c?17-`
#?Determine?whether?the?root?user
userid=`id?-u`
if?[?"$userid"?-ne?0?];?then
echo?"sorry,only?root?can?execute?the?script.?"
exit
fi
#?SET?SELINUX=disabled
if?[?"$Distributor"?!=?"SUSE?LINUX"?];?then
sed?-i?'/SELINUX/s/enforcing/disabled/'?/etc/selinux/config
setenforce?0
fi
#?pam-devel,tcp_wrappers-devel?need?be?installed,?Otherwise,?the?software?will?install?failure
#?Support?for?tcpwrappers/libwrap?has?been?removed?in?openssh6.7?
if?!?rpm?-qa|grep?pam-devel?&>/dev/null;?then
echo?"pam-devel?is?not?installed"?&&?exit
fi
#if?!?rpm?-qa|grep?tcp_wrappers-devel?&>/dev/null;?then
# echo?"tcp_wrappers-devel?not?installed"?&&?exit
#fi
#??Check?whether?to?open?the?telnet?service
netstat?-tnlp?|?grep?-w?23
RETVAL3=$?
if?[?$RETVAL3?-eq?0?];?then
echo?"telnet?service?is?running------------[yes]"
else
echo?"telnet?service?is?not?running--------[no]"
exit
fi
#?Determine?whether?to?install?gcc?package
if?[?-e?"$gcc_path"?];?then
echo?"gcc?is?installed----------------[yes]"
else
echo?"gcc?is?not?installed------------[no]"
exit?
fi
#?stop?sshd?service?
netstat?-tnlp?|?grep?-w?22
RETVAL4=$?
if?[?$RETVAL4?-eq?0?];?then
service?sshd?stop
echo?"stop?sshd?service?--------------[yes]"
fi
if?[?-e?/etc/init.d/sshd?];?then
cp?/etc/init.d/sshd?/root
fi
#?remove?openssh*.rpm?if?exists
if?rpm?-qa?|?grep?openssh?&>?/dev/null; then
rpm?-qa?|?grep?openssh?>?openssh_list.txt
while?read?line
do
rpm?-e?$line?--nodeps
echo?"remove?$line?success------------[yes]"
done?<?openssh_list.txt
fi
###########install?zlib?##################
tar?-zxvf?"${zlib_version}.tar.gz"?>?/dev/null
cd?$zlib_version
./configure
RETVAL5=$?
if?[?$RETVAL5?-ne?0?];?then
echo?"Configure?zlib?has?encountered?an?error"
exit
fi
make
RETVAL6=$?
if?[?$RETVAL6?-ne?0?];?then
echo?"make?zlib?has?encountered?an?error"
exit
fi
make?install
cd?..
echo?"#########################################################"
echo?"################????????????????????????#################"
echo?"################??zlib?install?success???#################"
echo?"################????????????????????????#################"
echo?"#########################################################"
sleep?2
##########?install?openssl?#############
tar?-zxvf?"${openssl_version}.tar.gz"?>?/dev/null
cd?$openssl_version
./config?shared?zlib
RETVAL7=$?
if?[?$RETVAL7?-ne?0?];?then
echo?"Configure?openssl?has?encountered?an?error"
exit
fi
make
RETVAL8=$?
if?[?$RETVAL8?-ne?0?];?then
echo?"make?openssl?has?encountered?an?error"
exit
fi
make?install?
if?[?-e?/usr/bin/openssl?];?then
mv?/usr/bin/openssl?/usr/bin/openssl.OFF?&&?ln?-s?/usr/local/ssl/bin/openssl?/usr/bin/openssl
else
ln?-s?/usr/local/ssl/bin/openssl?/usr/bin/openssl
fi
if?[?-e?/usr/include/openssl?];?then
mv?/usr/include/openssl?/usr/include/openssl.OFF?&&?ln?-s?/usr/local/ssl/include/openssl?/usr/include/openssl
else
ln?-s?/usr/local/ssl/include/openssl?/usr/include/openssl
fi
##?Add?"/usr/local/ssl/lib"?to?/etc/ld.so.conf?
ssl_lib=`grep?-w?"/usr/local/ssl/lib"?/etc/ld.so.conf`?
if?[?!?-e?"$ssl_lib"?];?then
echo?"/usr/local/ssl/lib"?>>?/etc/ld.so.conf
fi
ldconfig?-v
cd?..
echo?"#########################################################"
echo?"################????????????????????????#################"
echo?"################?openssl?install?sucess??################"
echo?"################????????????????????????#################"
echo?"#########################################################"
sleep?2
#############?install?openssh?##############
if?[?-e?/etc/ssh?];?then
mv?/etc/ssh?/etc/ssh_$DATE
fi
tar?-zxvf?"${openssh_version}.tar.gz"?>?/dev/null
cd?$openssh_version
./configure?--prefix=/usr?--sysconfdir=/etc/ssh?--with-zlib?--with-pam?--with-ssl-dir=/usr/local/ssl?--with-md5-passwords
RETVAL9=$?
if?[?$RETVAL9?-ne?0?];?then
echo?"Configure?openssh?has?encountered?an?error"
exit
fi
make
RETVAL10=$?
if?[?$RETVAL10?-ne?0?-a?$RETVAL10?-ne?0?];?then
????????echo?"make?openssh?has?encountered?an?error"
????????exit
fi
make?install
if?[?"$Distributor"?==?"SUSE?LINUX"?];?then
cd?contrib/suse
cp?rc.sshd?/etc/init.d/sshd
chmod?+x?/etc/init.d/sshd
chkconfig?--add?sshd
else
cd?contrib/redhat?
cp?sshd.init?/etc/init.d/sshd
chmod?+x?/etc/init.d/sshd
chkconfig?--add?sshd
fi
#A?generic?PAM?configuration?is?included?as?"contrib/sshd.pam.generic",
#you?may?need?to?edit?it?before?using?it?on?your?system.
cd?..
cp?sshd.pam.generic?/etc/pam.d/sshd
sed?-i?'s//lib/security///g'?/etc/pam.d/sshd
#?Modify?/etc/ssh/sshd_config
#?Backup?/etc/ssh/sshd_config
cp?-p?/etc/ssh/sshd_config?/etc/ssh/sshd_config_bak
#?The?default?set?of?ciphers?and?MACs?has?been?altered?to
#?remove?unsafe?algorithms.?In?particular,?CBC?ciphers?and?arcfour*
#?are?disabled?by?default.?
#?Changes?since?OpenSSH?6.6
echo?"KexAlgorithms?diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org"?>>?/etc/ssh/sshd_config
echo?"Ciphers?aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc"?>>?/etc/ssh/sshd_config
echo?"MACs?hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96"?>>?/etc/ssh/sshd_config
#?Disable?root?access?via?ssh?to?server
#*?The?default?for?the?sshd_config(5)?PermitRootLogin?option?has?changed?from?"yes"?to?"prohibit-password".
#*?PermitRootLogin=without-password/prohibit-password?now?bans?all
#interactive?authentication?methods,?allowing?only?public-key,
#hostbased?and?GSSAPI?authentication?(previously?it?permitted
#keyboard-interactive?and?password-less?authentication?if?those
#were?enabled).
#PermitRootLogin?prohibit-password?is?the?default?since?version?7.0p1
sed?-i?'s/^#PermitRootLogin/PermitRootLogin/'?/etc/ssh/sshd_config
#sed?-i?'/PermitRootLogin/s/yes/no/'?/etc/ssh/sshd_config
sed?-i?'/PermitRootLogin/s/prohibit-password/no/'?/etc/ssh/sshd_config
#?Set?'UsePAM?no'?to?'UsePAM?yes'?to?enable?PAM?authentication,?account?processing,?
#?and?session?processing
sed?-i?'/^#UsePAM?no/a?UsePAM?yes'?/etc/ssh/sshd_config
#?Start?sshd?process
service?sshd?start
#?Disable?telnet?service
if?netstat?-tnlp?|?grep?-w?22?&>?/dev/null;?then
sed?-i?'/disable/s/no/yes/'?/etc/xinetd.d/telnet
service?xinetd?restart
fi
echo?"#########################################################"
echo?"################????????????????????????#################"
echo?"################?openssh?install?sucess??################"
echo?"################????????????????????????#################"
echo?"#########################################################"
echo?"###############???ssh?version?????#################################################?"
echo?"###################################################################################?"
sshd?-v
echo?"####################################################################################?"
echo?"####################################################################################?"