最近的，openssl/openssh等相继漏洞的暴露，让暴露在公网的linux.沦陷为肉鸡的正营。。。

没办法，还是升级版本。。。

00、openssh简介

　　OpenSSH 是一组安全远程的连接工具,主要包括了几个部份：ssh、sshd、scp、sftp、ssh-keygen、ssh-agent、ssh-add等

ssh（SSH 客户端，用于登录建立连接，是 rlogin 与 Telnet的安全替代方案）
sshd （SSH 服务端，典型的独立守护进程）
scp、sftp （文件安全传输工具，rcp、ftp 安全的替代方案）
ssh-keygen （用于产生 RSA 或 DSA 密钥）
ssh-agent、ssh-add（帮助用户不需要每次都要输入金钥密码的工具）

01、编译前的准备工作

下载openssh:

　　https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

A: 已经安装了openssl(新版本的,编译安装的)

B:或者基于本机的openssl（yum install -y openssl-devel）

openssl version -a   #查看当前版本的openssl

ssh  -V                     #当前openssh编译的版本

yum install -y zlib-devel  #如果编译参数压缩的需要安装

02、编译安装 OpenSSH

./configure –prefix=/usr/local/openssh –sysconfdir=/etc/ssh2  –with-ssl-dir=/usr/local/openssl #如果openssl已经基于源码升级需要加此参数，但基于本机openssl的不需要添加
make -j4 && make install

解释：
–prefix 安装目录
–sysconfdir 配置文件目录  #当前的/etc/ssh   目的不覆盖，也可以基于本机直接覆盖安装
–with-ssl-dir 指定 OpenSSL 的安装目录（基于源码安装的）

03、备份OpenSSH 旧配置文件

mv  /etc/init.d/sshd   /etc/init.d/sshd.bak

04、修改ssh启动脚本

openssh-7.4p1\contrib\redhat\sshd.init sshd就是根据sshd,init修改的针对redhat发行版本

根据实际情况修正的sshd脚本  /etc/init.d/sshd

#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
SSHD=/usr/local/openssh/sbin/sshd  #按实际情况调整
PID_FILE=/var/run/sshd.pid

do_restart_sanity_check()
{
    $SSHD -t
    RETVAL=$?
    if [ $RETVAL -ne 0 ]; then
        failure $"Configuration file or keys are invalid"
        echo
    fi
}

start()
{
    # Create keys if necessary
    /usr/local/openssh/bin/ssh-keygen -A  #按实际情况调整
    if [ -x /sbin/restorecon ]; then
        /sbin/restorecon /etc/ssh2/ssh_host_key.pub
        /sbin/restorecon /etc/ssh2/ssh_host_rsa_key.pub
        /sbin/restorecon /etc/ssh2/ssh_host_dsa_key.pub
        /sbin/restorecon /etc/ssh2/ssh_host_ecdsa_key.pub
    fi

    echo -n $"Starting $prog:"
    $SSHD $OPTIONS && success || failure
    RETVAL=$?
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
    echo
}

stop()
{
    echo -n $"Stopping $prog:"
    killproc $SSHD -TERM
    RETVAL=$?
    [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
    echo
}

reload()
{
    echo -n $"Reloading $prog:"
    killproc $SSHD -HUP
    RETVAL=$?
    echo
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        stop
        start
        ;;
    reload)
        reload
        ;;
    condrestart)
        if [ -f /var/lock/subsys/sshd ] ; then
            do_restart_sanity_check
            if [ $RETVAL -eq 0 ] ; then
                stop
                # avoid race
                sleep 3
                start
            fi
        fi
        ;;
    status)
        status $SSHD
        RETVAL=$?
        ;;
    *)
        echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
        RETVAL=1
esac
exit $RETVAL

chmod +x /etc/init.d/sshd  

添加允许root远程登录
/etc/ssh2/sshd_config
PermitRootLogin yes

05、设置环境变量

vim /etc/profile
export PATH=/usr/local/openssh/bin:$PATH

source /etc/profile

06、开机自启动 sshd

service sshd restart

chkconfig sshd on

07、openssh编译参数

[root@rhel openssh-7.4p1]# ./configure –help
`configure\’ configures OpenSSH Portable to adapt to many kinds of systems.

Usage: ./configure [OPTION]… [VAR=VALUE]…

To assign environment variables (e.g., CC, CFLAGS…), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
-h, –help display this help and exit
–help=short display options specific to this package
–help=recursive display the short help of all the included packages
-V, –version display version information and exit
-q, –quiet, –silent do not print `checking …\’ messages
–cache-file=FILE cache test results in FILE [disabled]
-C, –config-cache alias for `–cache-file=config.cache\’
-n, –no-create do not create output files
–srcdir=DIR find the sources in DIR [configure dir or `..\’]

Installation directories:
–prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
–exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]

By default, `make install\’ will install all the files in
`/usr/local/bin\’, `/usr/local/lib\’ etc. You can specify
an installation prefix other than `/usr/local\’ using `–prefix\’,
for instance `–prefix=$HOME\’.

For better control, use the options below.

Fine tuning of the installation directories:
–bindir=DIR user executables [EPREFIX/bin]
–sbindir=DIR system admin executables [EPREFIX/sbin]
–libexecdir=DIR program executables [EPREFIX/libexec]
–sysconfdir=DIR read-only single-machine data [PREFIX/etc]
–sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
–localstatedir=DIR modifiable single-machine data [PREFIX/var]
–libdir=DIR object code libraries [EPREFIX/lib]
–includedir=DIR C header files [PREFIX/include]
–oldincludedir=DIR C header files for non-gcc [/usr/include]
–datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
–datadir=DIR read-only architecture-independent data [DATAROOTDIR]
–infodir=DIR info documentation [DATAROOTDIR/info]
–localedir=DIR locale-dependent data [DATAROOTDIR/locale]
–mandir=DIR man documentation [DATAROOTDIR/man]
–docdir=DIR documentation root [DATAROOTDIR/doc/openssh]
–htmldir=DIR html documentation [DOCDIR]
–dvidir=DIR dvi documentation [DOCDIR]
–pdfdir=DIR pdf documentation [DOCDIR]
–psdir=DIR ps documentation [DOCDIR]

System types:
–build=BUILD configure for building on BUILD [guessed]
–host=HOST cross-compile to build programs to run on HOST [BUILD]

Optional Features:
–disable-option-checking ignore unrecognized –enable/–with options
–disable-FEATURE do not include FEATURE (same as –enable-FEATURE=no)
–enable-FEATURE[=ARG] include FEATURE [ARG=yes]
–disable-largefile omit support for large files
–disable-pkcs11 disable PKCS#11 support code [no]
–disable-strip Disable calling strip(1) on install
–disable-etc-default-login Disable using PATH from /etc/default/login no
–disable-lastlog disable use of lastlog even if detected no
–disable-utmp disable use of utmp even if detected no
–disable-utmpx disable use of utmpx even if detected no
–disable-wtmp disable use of wtmp even if detected no
–disable-wtmpx disable use of wtmpx even if detected no
–disable-libutil disable use of libutil (login() etc.) no
–disable-pututline disable use of pututline() etc. (uwtmp) no
–disable-pututxline disable use of pututxline() etc. (uwtmpx) no

Optional Packages:
–with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
–without-PACKAGE do not use PACKAGE (same as –with-PACKAGE=no)
–without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
–with-ssh1 Enable support for SSH protocol 1
–without-stackprotect Don\’t use compiler\’s stack protection
–without-hardening Don\’t use toolchain hardening flags
–without-rpath Disable auto-added -R linker paths
–with-cflags Specify additional flags to pass to compiler
–with-cppflags Specify additional flags to pass to preprocessor
–with-ldflags Specify additional flags to pass to linker
–with-libs Specify additional libraries to link with
–with-Werror Build main code with -Werror
–with-solaris-contracts Enable Solaris process contracts (experimental)
–with-solaris-projects Enable Solaris projects (experimental)
–with-solaris-privs Enable Solaris/Illumos privileges (experimental)
–with-osfsia Enable Digital Unix SIA
–with-zlib=PATH Use zlib in PATH
–without-zlib-version-check Disable zlib version check
–with-skey[=PATH] Enable S/Key support (optionally in PATH)
–with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
–with-libedit[=PATH] Enable libedit support for sftp
–with-audit=module Enable audit support (modules=debug,bsm,linux)
–with-pie Build Position Independent Executables if possible
–with-ssl-dir=PATH Specify path to OpenSSL installation   #源码编译openssl需要指定
–without-openssl-header-check Disable OpenSSL version consistency check
–with-ssl-engine Enable OpenSSL (hardware) ENGINE support
–with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT
–with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
–with-pam Enable PAM support
–with-pam-service=name Specify PAM service name
–with-privsep-user=user Specify non-privileged user for privilege separation
–with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)
–with-selinux Enable SELinux support
–with-kerberos5=PATH Enable Kerberos 5 support
–with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
–with-xauth=PATH Specify path to xauth program
–with-maildir=/path/to/mail Specify your system mail directory
–with-mantype=man|cat|doc Set man page type
–with-md5-passwords Enable use of MD5 passwords
–without-shadow Disable shadow password support
–with-ipaddr-display Use ip address instead of hostname in $DISPLAY
–with-default-path= Specify default $PATH environment for server
–with-superuser-path= Specify different path for super-user
–with-4in6 Check for and convert IPv4 in IPv6 mapped addresses
–with-bsd-auth Enable BSD auth support
–with-pid-dir=PATH Specify location of ssh.pid file
–with-lastlog=FILE|DIR specify lastlog location common locations

Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor

Use these variables to override the choices made by `configure\’ or to help
it to find libraries and programs with nonstandard names/locations.

OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /etc/ssh2
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit

Host: x86_64-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE Preprocessor flags: -I/usr/local/openssl/include
Linker flags: -L/usr/local/openssl/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-
protector-all -pie Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv