centos7.x-ssh9.3p2-ssl1.1.1u-rpm-x86-64升级脚本

#!/bin/bash set -e ###########变量区############## file="ssh9.3p2_ssl1.1.1u_rpm_x86_64.tar.gz" BackupDir=/tmp/sshd_backup_`date +%Y%m%d` PatchLog=$BackupDir/ssh_ssl_upgrage.log ExecDir=/tmp/updatessh #影藏版本号(远程登录提示的版本号,可能与“ssh -V”查询的有差异,是否加单引号和双信号都可用) version="OpenSSH_9.3" ########################## function _echo () { local info=$* echo -e "\e[1;33m ${info} \e[0m" |tee -a $PatchLog } function runcheck() { if [ "`id -u`" -ne 0 ] then echo -e "\033[31m"$0:this script must be run as root!" \033[0m" exit 1 elif [ "`uname -p`" != "x86_64" ] then echo -e "\033[31m"$0:this script must be run on x86_64!" \033[0m" exit 1 elif [ "`rpm -q --queryformat '%{VERSION}' centos-release`" != "7" ] then echo -e "\033[31m"$0:this script must be run on centos7.x版本!" \033[0m" exit 1 #编译安装openssl与已有openssl11-libs存在冲突 elif test ! -z "$(rpm -qa | grep openssl11-libs)"; then echo -e "\033[31m"系统已安装openssl11-libs包与当前升级包冲突，可能影响nignx等服务，请手动卸载后继续!" \033[0m" exit 1 #判断^PermitRootLogin是否多行（大于1） elif [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then echo -e "\033[31m"注意!经检测配置文件存在多个root远程登录配置参数，查询如下：" \033[0m" grep -n '^PermitRootLogin ' /etc/ssh/sshd_config echo -e "\033[31m"请手动验证后继续!" \033[0m" exit 1 else [ -d $BackupDir ] || mkdir -p $BackupDir >>/dev/null fi } #yum function pkginstall() { _echo "# `date +%F-%X` install base pkg......" yum install libXt-devel imake libSM libICE zlib-devel pam-devel -y>> /dev/null && sleep 5 _echo "# `date +%F-%X` install base pkg done." } #wget function rpmdown() { [ -d $ExecDir ] || mkdir -p $ExecDir >/dev/null [ -f $ExecDir/$file ] || cp $file $ExecDir if [ $? -eq 0 ] then cd $ExecDir tar -xzvf $file else echo -e "\033[31m"$file download faild,please check!" \033[0m" exit 1 fi } #OpenSSL function install_openssl() { if test ! -z "$(rpm -qa | grep openssl | grep -v libs)"; then ssl_ver=`openssl version|awk '{print $1"-"$2}'` _echo "# `date +%F-%X` uninstall $ssl_ver......" rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps fi _echo "# `date +%F-%X` install openssl......" rpm -Uvh openssl* --nodeps # cp /etc/ld.so.conf /etc/ld.so.conf.bak # sed -i '/openssl/d' /etc/ld.so.conf # #sed -i 's/openssl-1.1.1h/openssl/g' /etc/ld.so.conf # echo "/usr/local/openssl/lib">> /etc/ld.so.conf # ldconfig # _echo "# `date +%F-%X` openssl upgrade done......" # _echo "# `date +%F-%X` Curren version:" # openssl version|tee -a $PatchLog } #OpenSSH function install_openssh() { _echo "------------------------------------------" _echo "# `date +%F-%X` Stop sshd......" # systemctl stop sshd if systemctl is-active --quiet sshd; then systemctl stop sshd fi _echo "# `date +%F-%X` backup /etc/pam.d/sshd......" cp /etc/pam.d/sshd $BackupDir _echo "# `date +%F-%X` /etc/ssh/sshd_config......" cp /etc/ssh/sshd_config $BackupDir _echo "# `date +%F-%X` uninstall openssh......" rpm -e `rpm -qa | grep openssh` --nodeps _echo "# `date +%F-%X` install openssh......" rpm -Uvh openssh* --nodeps _echo "# `date +%F-%X` chmod 600 /etc/ssh/*_key......" chmod 600 /etc/ssh/*_key _echo "# `date +%F-%X` recover /etc/pam.d/sshd......" \cp $BackupDir/sshd /etc/pam.d/sshd _echo "# `date +%F-%X` recover /etc/ssh/sshd_config......" \cp $BackupDir/sshd_config /etc/ssh/sshd_config _echo "# `date +%F-%X` restart sshd......" systemctl restart sshd _echo "# `date +%F-%X` openssh upgrade done......" _echo "# `date +%F-%X` Curren version:" #ssh -V|tee -a $PatchLog ssh -V _echo "# `date +%F-%X` openssh && openssl update sucess!" ############# ##添加ssh-copy-id 命令(本脚本编译前已添加) ##tar -zxf $file ssh-copy-id && mv ssh-copy-id /usr/bin/ && chmod +x ssh-copy-id #mv ssh-copy-id /usr/bin/ && chmod +x /usr/bin/ssh-copy-id ############# } rpmclear() { rm -rf $ExecDir >/dev/null && _echo "# `date +%F-%X` clear $ExecDir done." } main() { runcheck # pkginstall rpmdown install_openssl install_openssh rpmclear } main ##安全加固(本脚本安装包已默认加固) #if [ `grep 'chacha20-poly1305@openssh.com' /etc/ssh/sshd_config|wc -l` -eq 0 ] #then #echo Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com >> /etc/ssh/sshd_config && \ #echo KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 >> /etc/ssh/sshd_config #systemctl restart sshd #fi #隐藏版本号: (本地执行"ssh -V"任可见，根据实际版本号进行替换，x.x可为任意字母或数字) #根据ssh-V 和 strings /usr/sbin/sshd|grep 'OpenSSH_' 确定要修改的版本 #备份文件 cp -a /usr/sbin/sshd /usr/sbin/sshd-bak-`date +%F` #sed -i 's/OpenSSH_9.3/OpenSSH_x.x/g' /usr/sbin/sshd sed -i "s/${version}/OpenSSH_x.x/g" /usr/sbin/sshd systemctl restart sshd ##授权（确认root能远程登录再执行,升级为8.6后默认为不允许root登录）(可选项) if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -eq 0 ] then echo -e "\033[31m"注意!经检测root用户远程登录未配置，root用户无法远程登录!!" \033[0m" while true; do read -p "请确认开启/禁用: root远程登录?[y/n]:" sure case $sure in y|Y|Yes|yes|YES) echo "输入为：$sure，开启root远程登录中...." sed -i '/^#PermitRootLogin/s/#PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config #判断并删除^PermitRootLogin开头行重复值(倒序删除) if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then for i in $(grep -n '^PermitRootLogin' /etc/ssh/sshd_config | sed '1d' | cut -d ':' -f 1|sort -rn) do sed -i "${i}d" /etc/ssh/sshd_config done fi systemctl restart sshd echo -e "\033[32m" 开启root远程登录完成,请新开窗口验证后再退出当前终端!!" \033[0m" #break exit 0 ;; n|N|NO|no) echo "输入为: $sure,禁用root远程登录中..." sed -i '/^#PermitRootLogin/s/#PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config #判断并删除^PermitRootLogin开头行重复值(倒序删除) if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then for i in $(grep -n '^PermitRootLogin' /etc/ssh/sshd_config | sed '1d' | cut -d ':' -f 1|sort -rn) do sed -i "${i}d" /etc/ssh/sshd_config done fi systemctl restart sshd echo -e "\033[32m" 禁用root远程登录完成" \033[0m" exit 0 ;; *) echo "输入错误，请重新输入" ;; esac done fi