Location>code7788 >text

Documenting a day in the life of a part-time operations and maintenance

Popularity:763 ℃/2024-08-12 17:26:03

1. Background

At the end of July, the department's operation and maintenance of the big brother left, but no new operation and maintenance to take over, as to why there is no replacement, know all understand, according to the boss of the meaning is to let the development of a person top a piece of the end of August to try to make up for it.

From the bottom of my heart, I'm a little bit rejecting this, but what can I do when I'm in my middle age, I have an old man and a young man, and the only thing I have to do is to live with it.

The part assigned to me is the server vulnerability repair, although I know a few linux commands but in the "vulnerability repair" in front of the word is still a little pale, I can only pray that this month there is no work order to come, but afraid of what will come, the next day came a work order, probably look at the following what is the content.

 

 

 

2. Additional knowledge

There are two categories of vulnerabilities that need to be dealt with after a rough look, and they are:

The version is too low;

The version is too low.

The operating system of these machines is Centos 7.9. After searching the Internet, there are several software upgrades for Centos systems.

Method 1   Manual compilation and installation method:This method only installs the source package,Tools required for this methodgccas well asgcc_c++artifact,在安装的时候一定要先安装好这两个artifact才可以进行下一步安装。

           step one:After obtaining the package,Extract the package。The decompression steps depend on the specific format of the compression,根据格式应用对应的解压artifact进行解压。

           step Two:cdto the package'sbindirectory。

           step Three:Execute the compile command:make,The purpose of this step is to compile the source file into a binary file,for the next step of the installation。

           Step 4:Execute the installation command:make install。Installation Software Operation。If you want to install to the tooldirectory,executable:make install /tool/

           编译法的优点就是利于找到文件夹as well asroot文件,Convenient with later uninstallation。DisadvantagesWhen the package requires dependent packages, you need to solve the problem of dependent packages before you can install the software.,It's a bit of a hassle.。

 Method II  RPMInstallation:Find the software'sRPMThe time of the package,fulfillmentrpm -ivh ,Installing the software。rpmpackage just suppresses the source package into therpmfile format,utilizationrpmartifact进行安装。安装的时候同样会收到依赖包as well as系统环境的影响。

           和Manual compilation and installation method相比,rpmThe advantage of upgrading and uninstalling。If there is a fancier bag when,fulfillmentcommand:rpm -uvh  Upgradable software,Unlike the compiled method where you uninstall and then install。Uninstallation of softwarerpm -e ,Can be uninstalled。

 Method III  yumSource Installation Method:This method requires the use of a network,accessedyumsource before you can install it。If it is necessary to access the Internet on theyumroot,则需要链接互联可以utilization此方法进行访问。Many organizations consider the security of their local operating environments.,General prohibition of links to the Internet。

           by means ofyumroot安装mysqle.g.:fulfillmentcommand yum install -y mysql  can be accessed viayumInstallation。pass (a bill or inspection etc)yum way to uninstall ,command:yum remove mysql,Can be uninstalledmysql。

           Install the software using this method,yumroot很重要,It is possible to configure ayumroot,也可以utilization互联网上面的yumroot。推荐utilization互联网上面的开rootyumroot,If you build your ownyumroot,其中的artifact包比较难以收集全。

            Change or setyumroot在文件文件中进行更改。

/enterprise/zh/thread/580933440356892672

Personally feel that the latter two are the simplest, the equivalent of others have produced a good package just need to install their own on the good, but the sad thing is that you can not find the latest version of openssh package, can only be hard to try to compile their own through the source code, compared to the Mysql is a little more comfortable, the official have ready-made package.

3. Upgrade openssh

For a newbie, there's always a series of remedies to look for before starting, just in case, and here are some of the get-out-of-jail-free cards I've gathered.

3.1 Enabling telnet

Some users say to turn telnet on first in case the openssh upgrade fails and causes the machine to lose connection (or of course you can go hard to the VM administrator and the console will get in after all).

yum install -y telnet* xinetd
vim /etc//remote
#comment outauth required pam_securetty.sothis line
systemctl start 
systemctl start 
systemctl enable 

3.2 Virtual machine snapshots

Virtual machines generally provide a snapshot function, which is simply understood as a backup and restore function, so that the system can be quickly recovered after being messed up.

3.3 Advance simulation

After all, it is a novice, against the customer environment directly open the big too risky, might as well find an intranet test machine or install their own virtual machine simulation, to do a good job.

3.4 Starting compilation

Download the source packages one by one, openssh depends on zlib and openssl, you need to compile zlib and openssl before compiling openssh.

# Unify operations in the /opt/ssh-upgrade/source/ directory
#openssh Download & Unzip
wget '/pub/OpenBSD/OpenSSH/portable/openssh-9.'
tar zxvf openssh-9.
#openssl download&unzip
wget /source/old/1.1.1/openssl-1.1.
tar zxvf openssl-1.1.
#zlib download & unpacking
wget /fossils/zlib-1.3.
tar zxvf zlib-1.3.
#Compile zlib
cd /opt/ssh-upgrade/source/zlib-1.3.1

configurePossible errors
Checking for gcc...
Compiler error reporting is too harsh for ./configure (perhaps remove -Werror).
** ./configure aborting.

This is where the software needs to be installed
yum install -y gcc gcc-c++


./configure --prefix=/opt/ssh-upgrade/zlib
make && make install
#compile openssl
# Backup configuration
cp -rf /etc/ssl/ /opt/ssh-upgrade/config_bak/ssl

cd /opt/ssh-upgrade/source/openssl-1.1.1w

 ./config --prefix=/opt/ssh-upgrade/openssl/ --openssldir=/opt/ssh-upgrade/openssl/ shared
make && make install

ln -sf /opt/ssh-upgrade/openssl/bin/openssl /usr/bin/openssl
ln -sf /opt/ssh-upgrade/openssl/include/openssl /usr/include/openssl
echo '/opt/ssh-upgrade/openssl/lib' >> /etc//
ldconfig
# Compile openssh
# Backup configuration
cp -rf /etc/ssh/ /opt/ssh-upgrade/config_bak/ssh

cd /opt/ssh-upgrade/source/openssh-9.8p1
./configure --prefix=/opt/ssh-upgrade/openssh/ --sysconfdir=/opt/ssh-upgrade/openssh/ssh/ --with-openssl-includes=/opt/ssh-upgrade/openssl/include/ --with-ssl-dir=/opt/ssh-upgrade/openssl/ --with-zlib=/opt/ssh-upgrade/zlib/ --with-md5-passwords --without-openssl-header-check
make && make install
ln -sf /opt/ssh-upgrade/openssh/sbin/sshd /usr/sbin/sshd
ln -sf /opt/ssh-upgrade/openssh/bin/ssh /usr/bin/ssh
ln -sf /opt/ssh-upgrade/openssh/bin/ssh-add /usr/bin/ssh-add
ln -sf /opt/ssh-upgrade/openssh/bin/ssh-agent /usr/bin/ssh-agent
ln -sf /opt/ssh-upgrade/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -sf /opt/ssh-upgrade/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
# Restore configuration
cp -rf /opt/ssh-upgrade/config_bak/ssh /etc/ssh/
# Add boot-up and all that
chkconfig --add sshd
chkconfig sshd on
systemctl enable 
systemctl restart sshd
systemctl status sshd

Unexpectedly, then the accident happened, the network flashed off a bit, and then the machine can not be connected, because it is a test machine with the intranet to practice, so that did not open the telnet did not find the administrator to do a snapshot, can only find the administrator to find the hard way to the console into the machine to see what the situation, the administrator guessed that the ssh service did not start successfully lead to, but through the systemctlstatus sshd found that the service is not a problem, the probability is that the configuration of the problem, the Internet said more /etc/ssh/sshd_config in the PermitRootLogin yes did not turn on the result, but check the configuration is not a problem, there is a voice deep inside the hidden "reboot a hand! I have a voice inside me that says "reboot and see", but it doesn't work.

3.5 Review

After calming down, I examined the previously executed commands line by line, and one detail aroused my suspicion, together with the following.

./configure --prefix=/opt/ssh-upgrade/openssh/ --sysconfdir=/opt/ssh-upgrade/openssh/ssh/ --with-openssl-includes=/opt/ssh-upgrade/openssl/include/ --with-ssl-dir=/opt/ssh-upgrade/openssl/ --with-zlib=/opt/ssh-upgrade/zlib/ --with-md5-passwords --without-openssl-header-check

--sysconfdir=/opt/ssh-upgrade/openssh/ssh/, this parameter specifies the location of the configuration file as /opt/ssh-upgrade/openssh/ssh/ssh/, so it's useless to restore the configuration file I backed up at the very beginning to /etc/ssh/ssh/, so the solution is very simple! The solution is simple: turn on PermitRootLogin yes in /opt/ssh-upgrade/openssh/ssh/sshd_config.

Make sure you understand the information you find online and don't execute it sparingly.

4. Upgrade MySql

MySql upgrade is relatively simple, there are ready-made packages, download and execute them.

4.1 Downloading the 5.7.44 installation package

/archives/mysql-5.7/mysql-5.7.44-1.el7.x86_64.

4.2 Backup

Configuration files and data

cp /etc/ /data/back/my.cnf_0807

mysqldump -uroot -p'xxx' --all-databases>/data/back/sqlfiles_0807.sql

4.3 Discontinuation of the database

systemctl stop mysqld

4.4 Upgrading with Uvh

rpm -Uvh mysql-community-common-5.7.44-1.el7.x86_64.rpm --nodeps
rpm -Uvh mysql-community-libs-5.7.44-1.el7.x86_64.rpm --nodeps
rpm -Uvh mysql-community-libs-compat-5.7.44-1.el7.x86_64.rpm --nodeps
rpm -Uvh mysql-community-devel-5.7.44-1.el7.x86_64.rpm --nodeps
rpm -Uvh mysql-community-client-5.7.44-1.el7.x86_64.rpm --nodeps
rpm -Uvh mysql-community-server-5.7.44-1.el7.x86_64.rpm --nodeps

4.5 Starting mysqld

service mysqld restart

 

4.6 Check for updates

mysql_upgrade -uroot -p

Reference /doc/refman/5.7/en/

4.7 Restarting mysql

systemctl restart mysqld

 

5. Write at the end

Originally quite a lot of feelings and negative emotions want to express a bit, but really get things done when it seems to be a kind of "not to things, not to their own sadness" mentality, old? Being old? Reconciled with myself?
When you reach middle age, you know it all!