centos7环境下OpenSSL拒绝服务漏洞(CVE-2022-0778)
漏洞影响范围:
下载openssl和openssh最新版本上传至服务器:
openssl下载 openssh下载
查看当前openssl和openssh版本
[root@node1~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@node1~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
编译安装 OpenSSL (需要gcc环境)
[root@node1~]# tar -xzvf openssl-1.1.1n.tar.gz
[root@node1~]# cd openssl-1.1.1n/
[root@node1 openssl-1.1.1n]# ./config --prefix=/usr/local/openssl-1.1.1n --shared
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1n (0x101010efL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
[root@node1 openssl-1.1.1n]# make && make install
[root@node1 openssl-1.1.1n]# mv /usr/bin/openssl /usr/bin/openssl.bak
[root@node1 openssl-1.1.1n]# mv /usr/include/openssl /usr/include/openssl.bak
[root@node1 openssl-1.1.1n]# ln -s /usr/local/openssl-1.1.1n/bin/openssl /usr/bin/openssl
[root@node1 openssl-1.1.1n]# ln -s /usr/local/openssl-1.1.1n/include/openssl /usr/include/openssl
[root@node1 openssl-1.1.1n]# echo "/usr/local/openssl-1.1.1n/lib">>/etc/ld.so.conf
[root@node1 openssl-1.1.1n]# ldconfig
编译安装 OpenSSH 之后重启sshd服务
[root@localhost ~]# yum install pam-devel libselinux-devel zlib-devel openssl-devel
[root@localhost ~]# tar -zxvf openssh-8.9p1.tar.gz
[root@localhost ~]# cd openssh-8.9p1
[root@localhost openssh-8.9p1]# mv /etc/ssh /etc/ssh.bak
[root@localhost openssh-8.9p1]# ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl-1.1.1n/lib
[root@localhost openssh-8.9p1]# make && make install
[root@localhost openssh-8.9p1]# mv /etc/ssh.bak/sshd_config /etc/ssh/sshd_config
[root@localhost openssh-8.9p1]# systemctl daemon-reload
[root@localhost openssh-8.9p1]# systemctl restart sshd
完成修复
踩到的坑
在编译openssh时提示openSSL library not found
解决办法
删除
yum remove openssl-devel
重新下载
yum install openssl-devel
重新编译openssl和openssh(重新执行第2,第3步)
版权声明:本站所有资料均为网友推荐收集整理而来,仅供学习和研究交流使用。
工作时间:8:00-18:00
客服电话
电子邮件
admin@qq.com
扫码二维码
获取最新动态