I. Vulnerability Analysis
Linux system security reinforcement analysis was recently conducted to scan and analyze vulnerabilities.
OPENSSH has three major security vulnerabilities:
1: OpenSSH GSSAPI handles Remote Code Execution Vulnerability
Vulnerability category daemon
High risk level
Affected platform OpenSSH & lt; 4.4
A remote code execution vulnerability exists in portable versions earlier than OpenSSH 4.3. Attackers can exploit race to handle the vulnerability.
The signal handler causes the service to be blocked. if the service passes GSSAPI authentication, attackers can execute arbitrary code on the system.
To mitigate the threat, we recommend that you upgrade OpenSSH to OpenSSH 4.4 or the latest version of OpenSSH. OpenSSH 4.4.
Released ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/
Reference URL # MLIST: [openssh-unix-dev] 20060927 Announce: OpenSSH 4.4 released #
URL: http://marc.theaimsgroup.com /? L = openssh-unix-dev & m = 115939141729160 & w = 2
2: OpenSSH GSSAPI authentication termination information leakage Vulnerability
Vulnerability No. 000a03fa
Vulnerability category daemon
Dangerous level
Detailed description of the information leakage vulnerability in OpenSSH portable GSSAPI authentication. Remote attackers can use GSSAPI authentication to terminate the transfer.
Attackers can exploit different error messages and identify platform-specific usernames attacks to obtain usernames information.
Upgrade OpenSSH 4.4 or the latest version of OpenSSH. OpenSSH 4.4 released.
Http://www.openssh.com/txt/release-4.4
Reference URL * BUGTRAQ: 20061005 rPSA-2006-0185-1 gnome-ssh-askpass openssh-client openssh-
Server * URL: http://www.securityfocus.com/archive/1/archive/1/447861/100/200/threaded
3: OpenSSH X connection session hijacking Vulnerability
Vulnerability category daemon
Dangerous level
Affected platform OpenSSH & lt; 4.3p2
Detailed description when sshd (8) fails to properly handle the SSH Login With X11 forwarding enabled and cannot be bound to an IPv4 port but is successfully bound to an IPv6 Port
Port status. In this case, devices using X11 are connected to IPv4 ports even if they are not bound to sshd (8 ).
. Malicious users can listen for X11 connections on unused IPv4 ports (such as tcp port 6010. When an uninformed user logs on and creates an X11 Switch
During sending, malicious users can capture all the X11 data sent through the port, which may expose sensitive information or allow users to use X11 to forward User Permissions
Command line.
We recommend that you take the following steps to fix the vulnerability to reduce the threat: OpenSSH has provided updates: # OpenSSH
Openssh-3.9p1-skip-used.patch http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-
3.9p1-
Skip-used.patch? Rev= 1.1 & view = markup
Reference URL * BUGTRAQ: 20080325 rPSA-2008-0120-1 gnome-ssh-askpass openssh-client openssh-
Server * URL: http://www.securityfocus.com/archive/1/archive/1/490054/100/0/threaded
######################################## ######################################## #
Ii. Vulnerability repair
My repair steps!
Through the above statistical analysis, my first thought is to Upgrade OPENSSH to block security vulnerabilities. The following describes how to Upgrade OPENSSH:
1
Wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz
Now the OPENSSH installation program of a later version is up to 6.0. For security reasons, if you do not use the latest version, select 5.8P2 to download and install it.
2
Tar xvf openssh-5.8p2.tar.gz # Not explained
3
Cd openssh-5.8p2 # www.2cto.com not explained
4
./Configure -- prefix =/usr -- sysconfdir =/etc/ssh
Download the source code package and compile it. Pay attention to my compiling path. I want to install OPENSSH in the original path. After the installation is complete
You don't need to start the new copy SSHD service to/etc/init. d !, You can customize the installation path according to the actual situation.
5
Make # Not explained
6
Mv/etc/ssh/*/etc/sshbak/
Because I used the installation in the original path, I moved the configuration file. Otherwise, an error will be reported in make install!
7
Make install # Not explained
8
/Etc/init. d/sshd restart
Pay attention to security. If an error is reported during the previous compilation and the installation is forced, the SSHD service may not be able to get started, and you will understand the consequences!
9
Chkconfig -- add sshd # Not explained
10
Chkconfig sshd on # Not explained
If your sshd service starts normally, congratulations!
Run the ssh-V command.
[Health @ jumpserver-12 ~] $ Ssh-V
OpenSSH_5.8p2, OpenSSL 1.0.0-fips 29 Mar 2010
You have successfully upgraded to version 5.8!
Iii. troubleshooting
Troubleshooting:
./After configure, an error is reported,
Install gcc-4.5.1.tar.bz2 and openssl-devel
From the BLOG of kjh2007abc