Automatically upgrade OpenSSH shell scripts

Because of the management of more than 200 Linux servers, a person engaged in the security of so many machines more tired, so after learning the shell script decisive write some common scripts to do some routine maintenance, this article OpenSSH upgrade is Bo master himself almost every two or three months to do an upgrade, No way Green Alliance security scanning system always scan to the relevant high-risk vulnerability, and then OpenSSH version of the update is also more frequent, so not lazy almost can not live. Needless to say, in this place the script, already online on the server has been executed hundreds of times, there should be no problem.

#!/bin/bash#######################################################################     update openssl openssh scirpt                  ##############              Author:kl                                   ###########           Date:2014/07/13                              ###########         LastModified:2016/06/02                       ###########  warning:start telnet service before use the  script    ########################################################################## ################################################################################ #update  openssh and  openssl#########  #####    ############################################### ####################################### #Determine  whether the current system  installed gcc compiler toolszlib_version= "zlib-1.2.8" openssl_version= "openssl-1.0.2g" Openssh_ version= "openssh-7.2p2" gcc_path= ' which gcc ' #gcc_name = ' basename  $gcc _path ' date=$ (date +%y%m%d) #  os type#distributor_id=$ (lsb_release -i) distributor= ' lsb_release -i|cut -c 17-' # determine whether the root useruserid= ' id -u ' if [  "$userid"  -ne  0 ]; thenecho  "sorry,only root can execute the script. " exitfi# SET  selinux=disabledif [  "$Distributor"  !=  "Suse linux"  ]; thensed -i   '/selinux/s/enforcing/disabled/'  /etc/selinux/configsetenforce 0fi# pam-devel,tcp_ Wrappers-devel need be installed, otherwise, the software will install  failure# Support for tcpwrappers/libwrap has been removed in  openssh6.7 if ! rpm -qa|grep pam-devel &>/dev/null; thenecho  " Pam-devel is not installed " && exitfi#if ! rpm -qa|grep  tcp_wrappers-devel &>/dev/null; then#echo  "Tcp_wrappers-devel not installed"  && exit#fi#  Check whether to open the telnet  servicenetstat -tnlp | grep -w 23retval3=$?if [  $RETVAL 3 -eq 0 ]; thenecho  "Telnet  service is running------------[Yes] "elseecho " telnet service is not  Running--------[No] "exitfi# determine whether to install gcc packageif [  -e  "$GCC _path"  ]; thenecho  "gcc is installed----------------[Yes]" Elseecho   "gcc is not installed------------[No]" exit fi# stop sshd service  netstat -tnlp | grep -w 22RETVAL4=$?if [  $RETVAL 4 -eq 0  ]; thenservice sshd stopecho  "stop sshd service --------------[Yes]" Fiif [ -e /etc/init.d/sshd ]; thencp /etc/init.d/sshd /rootfi# remove  openssh*.rpm if existsif rpm -qa | grep openssh &> / dev/null;thenrpm -qa | grep openssh > openssh_list.txtwhile read linedorpm -e  $line  --nodepsecho  "remove  $line  success------------[yes]" done < openssh_ list.txtfi########## #install  zlib ################# #tar  -zxvf  "${zlib_version}.tar.gz"  > /dev/nullcd  $zlib _version./configureretval5=$?if [  $RETVAL 5 -ne 0  ]; thenecho  "Configure zlib has encountered an error" exitfimakeretval6=$?if [  $RETVAL 6 -ne 0 ]; thenecho  "make zlib  Has encountered an error "EXITFIMAKE&NBSP;INSTALLCD&NBSP; echo  "#########################################################" echo  "################                          ################# "echo " ################  zlib  install success   ################# "echo " ################                          ################# "echo " ######################################################### "sleep  2########## install openssl ############ #tar  -zxvf  "${openssl_version}.tar.gz"   > /dev/nullcd  $openssl _version./config shared zlibretval7=$?if [  $RETVAL 7  -ne 0 ]; thenecho  "configure openssl has encountered an  Error "exitfimakeretval8=$?if [  $RETVAL 8 -ne 0 ]; thenecho " make  Openssl has encountered an error "exitfimake install if [ -e /usr/ Bin/openssl ]; thenmv /usr/bin/openssl /usr/bin/openssl. Off && ln -s /usr/local/ssl/bin/openssl /usr/bin/opensslelseln -s /usr/local/ssl/bin/openssl /usr/bin/opensslfiif [  -e /usr/include/openssl ]; thenmv /usr/include/openssl /usr/include/openssl. off && ln -s /usr/local/ssl/include/openssl /usr/include/opensslelseln - s /usr/local/ssl/include/openssl /usr/include/opensslfi## add  "/usr/local/ssl/lib"  to  /etc/ld.so.conf ssl_lib= ' grep -w  '/usr/local/ssl/lib '  /etc/ld.so.conf '  if  [ ! -e  "$ssl _lib"  ]; thenecho  "/usr/local/ssl/lib"  >> /etc/ LD.SO.CONFFILDCONFIG&NBSP;-VCD&NBSP, .... echo  "#########################################################" echo  "################                          ################# "echo " ################ openssl install sucess  ################ "echo " ################                         ######## ######### "echo " ######################################################### "sleep 2#############  install openssh ############# #if  [ -e /etc/ssh ]; thenmv /etc/ssh  /etc/ssh_$DATEfitar -zxvf  "${openssh_version}.tar.gz"  > /dev/nullcd  $openssh _version./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-pam -- with-ssl-dir=/usr/local/ssl --with-md5-passwordsretval9=$?if [  $RETVAL 9 -ne 0 ];  thenecho  "Configure openssh has encountered an error" exitfimakeretval10=$? if [  $RETVAL 10 -ne 0 -a  $RETVAL 10 -ne 0 ]; then         echo  "Make openssh has encountered an error"          exitfimake installif [  "$Distributor"  ==  "suse " LINUX " ]; thencd contrib/susecp rc.sshd /etc/init.d/sshdchmod +x /etc/ init.d/sshdchkconfig --add sshdelsecd contrib/redhat cp sshd.init /etc/init.d/ sshdchmod +x /etc/init.d/sshdchkconfig --add sshdfi#a generic pam  configuration is included as  "Contrib/sshd.pam.generic", #you  may need to &NBSP;EDIT&NBSP;IT&NBSP;BEFORE&NBSP;USING&NBSP;IT&NBSP;ON&NBSP;YOUR&NBSP;SYSTEM.CD&NBSP, .... cp sshd.pam.generic /etc/pam.d/sshdsed -i  ' s/\/lib\/security\///g '  /etc/pam.d/sshd#  modify /etc/ssh/sshd_config# backup /etc/ssh/sshd_configcp -p /etc/ssh/sshd_ Config /etc/ssh/sshd_config_bak# the default set of ciphers and macs has been altered to# remove  unsafe algorithms. in particular, cbc ciphers and arcfour*# are  disabled by default. # changes since openssh 6.6echo  "KexAlgorithms &NBSP;DIFFIE-HELLMAN-GROUP1-SHA1,DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1, diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, Diffie-hellman-group1-sha1,[email protected] " >> /etc/ssh/sshd_configecho " ciphers  aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour , BLOWFISH-CBC,CAST128-CBC " >> /etc/ssh/sshd_configecho " macs hmac-md5,hmac-sha1,[ email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96 " >> /etc/ssh/sshd_config#  Disable root access via ssh to server#* the default for the sshd_config (5)  permitrootlogin option  has changed from  "yes"  to  "Prohibit-password". #* permitrootlogin= Without-password/prohibit-password now bans all#interactive authentication methods,  allowing only public-key, #hostbased  and GSSAPI authentication  (previously  it permitted#keyboard-interactive and password-less authentication if  those#were enabled). #PermitRootLogin  prohibit-password is the default since  version 7.0p1sed -i  ' s/^ #PermitRootLogin/permitrootlogin/'  /etc/ssh/sshd_config#sed  -i  '/permitrootlogin/s/yes/no/'  /etc/ssh/sshd_configsed -i  '/permitrootlogin/s/ prohibit-password/no/'  /etc/ssh/sshd_config# Set  ' usepam no '  to  ' Usepam yes '  to enable pam authentication, account processing, # and session processingsed -i  '/^# Usepam no/a usepam yes '  /etc/ssh/sshd_config# start sshd processservice  sshd start# disable telnet serviceif netstat -tnlp | grep - w 22 &> /dev/null; thensed -i  '/disable/s/no/yes/'  /etc/xinetd.d/ telnetservice xinetd restartfiecho  "#########################################################" echo  "################                         ################# "echo " ############### # openssh install sucess  ################ "echo " ################                          ################# "echo " ######################################################### "echo " ###############    ssh version     ############################################## ###  "echo " ###################################################################################  "sshd -vecho " ####################################################################################   "echo " ####################################################################################  "

This article is from the "mirror is not Taiwan" blog, please be sure to keep this source http://kk876435928.blog.51cto.com/3530246/1813925

Automatically upgrade OpenSSH shell scripts