I check the security of the server with a scanner, you can find many ssh vulnerabilities. The problem is that recent Centos releases use old OpenSSH v7.4 packages. To fix vulnerabilities, you need to update this package.
[ root@localhost ~ ]# cat /etc/redhat-releaseCentOS Linux release 7.9.2009 ( Core )
Checking the version of the installed ssh package
[ root@localhost ~ ]# rpm-qa | grep opensshopenssh-clients-7.4 p1-21.el7.x86_64openssh-server-7.4 p1-21.el7.x86_64openssh-7.4 p1-21.el7._ x86_64
The yum command is often used to update or install packages on Centos. But in this case, it will not help us, since there is no new version of the openssh package in the repository.
What is the fastest way to install a new openssh package? For this, a script was written on github that builds the package from source codes and installs it.
Supported installation versions for this OpenSSH script are {7.9p1,8.0p1,8.1p1,8.2p1,8.3p1}.
bash <( curl-sSL https://github.com/Junyangz/upgrade-openssh-centos/raw/master/build-RPMs-OpenSSH-CentOS.sh ) --version 8.3p1 -output_rpm_dir /tmp/tmp. dirs --upgrade_now yes>
–output_rpm_dir Mandatory option, you must specify the directory to build the package.
Script content.
build_RPMs() { local output_rpm_dir="${1}" yum install-y pam-devel rpm-build rpmdevtools zlib-devel openssl-devel krb5-devel gcc wget libx11-dev gtk2-devel libXt-devel mkdir-p ~/rpmbuild/SOURCES && cd ~/rpmbuild/SOURCES wget-c https://mirrors.tuna.tsinghua.edu.cn/OpenBSD/OpenSSH/portable/openssh-${version}.tar.gz wget-c https://mirrors.tuna.tsinghua.edu.cn/OpenBSD/OpenSSH/portable/openssh-${version}.tar.gz.asc wget-c https://mirrors.tuna.tsinghua.edu.cn/slackware/slackware64-current/source/xap/x11-ssh-askpass/x11-ssh-askpass-1.2.4.1.tar.gz tar zxvf openssh-${version}.tar.gz yes | cp /etc/pam.d/sshd openssh-${version}/contrib/redhat/sshd.pam mv openssh-${version}.tar.gz{,.orig} tar zcpf openssh-${version}.tar.gz openssh-${version} cd tar zxvf ~/rpmbuild/SOURCES/openssh-${version}.tar.gz openssh-${version}/contrib/redhat/openssh.spec cd openssh-${version}/contrib/redhat/ && chown root.root openssh.spec sed-i-e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec sed-i-e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec sed-i-e "s/BuildPreReq/BuildRequires/g" openssh.spec sed-i-e "s/PreReq: initscripts >= 5.00/#PreReq: initscripts >= 5.00/g" openssh.spec sed-i-e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec sed-i-e "/check-files/ s/^#*/#/" /usr/lib/rpm/macros rpmbuild-ba openssh.spec cd /root/rpmbuild/RPMS/x86_64/ tar zcvf ${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz openssh* rm-rf ~/rpmbuild ~/openssh-${version} }
As the version parameter, you need to specify the version of the package that you want to build.
It is also possible to upgrade the current version of the openssh package by specifying the–upgrade_now yes option
upgrade_openssh() { local temp_dir="$(mktemp-d)" local output_rpm_dir="$1" trap "rm-rf ${temp_dir}" EXIT pushd "${temp_dir}" timestamp=$(date +%s) if [ !-f ${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz ]; then echo "${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz not exist" exit 1 fi cp ${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz ./ tar zxf openssh-${version}-RPMs.el${rhel_version}.tar.gz cp /etc/pam.d/sshd pam-ssh-conf-${timestamp} rpm-U *.rpm mv /etc/pam.d/sshd /etc/pam.d/sshd_${timestamp} yes | cp pam-ssh-conf-${timestamp} /etc/pam.d/sshd sed-i '/PermitRootLogin yes/ s/^#*//' /etc/ssh/sshd_config chmod 600 /etc/ssh/ssh* /etc/init.d/sshd restart echo "New version upgrades as to lastest:" ; $(ssh-V) }
Using this option will automatically build and install the package of the required version.
The script uses options as version, so it can be used to install the latest available version of the openssh package.
Need help setting up the server , please contact [email protected]