1. Background
At the end of July, the department's operation and maintenance of the big brother left, but no new operation and maintenance to take over, as to why there is no replacement, know all understand, according to the boss of the meaning is to let the development of a person top a piece of the end of August to try to make up for it.
From the bottom of my heart, I'm a little bit rejecting this, but what can I do when I'm in my middle age, I have an old man and a young man, and the only thing I have to do is to live with it.
The part assigned to me is the server vulnerability repair, although I know a few linux commands but in the "vulnerability repair" in front of the word is still a little pale, I can only pray that this month there is no work order to come, but afraid of what will come, the next day came a work order, probably look at the following what is the content.
2. Additional knowledge
There are two categories of vulnerabilities that need to be dealt with after a rough look, and they are:
The version is too low;
The version is too low.
The operating system of these machines is Centos 7.9. After searching the Internet, there are several software upgrades for Centos systems.
Method 1 Manual compilation and installation method:This method only installs the source package,Tools required for this methodgccas well asgcc_c++artifact,在安装的时候一定要先安装好这两个artifact才可以进行下一步安装。 step one:After obtaining the package,Extract the package。The decompression steps depend on the specific format of the compression,根据格式应用对应的解压artifact进行解压。 step Two:cdto the package'sbindirectory。 step Three:Execute the compile command:make,The purpose of this step is to compile the source file into a binary file,for the next step of the installation。 Step 4:Execute the installation command:make install。Installation Software Operation。If you want to install to the tooldirectory,executable:make install /tool/ 编译法的优点就是利于找到文件夹as well asroot文件,Convenient with later uninstallation。DisadvantagesWhen the package requires dependent packages, you need to solve the problem of dependent packages before you can install the software.,It's a bit of a hassle.。 Method II RPMInstallation:Find the software'sRPMThe time of the package,fulfillmentrpm -ivh ,Installing the software。rpmpackage just suppresses the source package into therpmfile format,utilizationrpmartifact进行安装。安装的时候同样会收到依赖包as well as系统环境的影响。 和Manual compilation and installation method相比,rpmThe advantage of upgrading and uninstalling。If there is a fancier bag when,fulfillmentcommand:rpm -uvh Upgradable software,Unlike the compiled method where you uninstall and then install。Uninstallation of softwarerpm -e ,Can be uninstalled。 Method III yumSource Installation Method:This method requires the use of a network,accessedyumsource before you can install it。If it is necessary to access the Internet on theyumroot,则需要链接互联可以utilization此方法进行访问。Many organizations consider the security of their local operating environments.,General prohibition of links to the Internet。 by means ofyumroot安装mysqle.g.:fulfillmentcommand yum install -y mysql can be accessed viayumInstallation。pass (a bill or inspection etc)yum way to uninstall ,command:yum remove mysql,Can be uninstalledmysql。 Install the software using this method,yumroot很重要,It is possible to configure ayumroot,也可以utilization互联网上面的yumroot。推荐utilization互联网上面的开rootyumroot,If you build your ownyumroot,其中的artifact包比较难以收集全。 Change or setyumroot在文件文件中进行更改。 /enterprise/zh/thread/580933440356892672
Personally feel that the latter two are the simplest, the equivalent of others have produced a good package just need to install their own on the good, but the sad thing is that you can not find the latest version of openssh package, can only be hard to try to compile their own through the source code, compared to the Mysql is a little more comfortable, the official have ready-made package.
3. Upgrade openssh
For a newbie, there's always a series of remedies to look for before starting, just in case, and here are some of the get-out-of-jail-free cards I've gathered.
3.1 Enabling telnet
Some users say to turn telnet on first in case the openssh upgrade fails and causes the machine to lose connection (or of course you can go hard to the VM administrator and the console will get in after all).
yum install -y telnet* xinetd vim /etc//remote #comment outauth required pam_securetty.sothis line systemctl start systemctl start systemctl enable
3.2 Virtual machine snapshots
Virtual machines generally provide a snapshot function, which is simply understood as a backup and restore function, so that the system can be quickly recovered after being messed up.
3.3 Advance simulation
After all, it is a novice, against the customer environment directly open the big too risky, might as well find an intranet test machine or install their own virtual machine simulation, to do a good job.
3.4 Starting compilation
Download the source packages one by one, openssh depends on zlib and openssl, you need to compile zlib and openssl before compiling openssh.
# Unify operations in the /opt/ssh-upgrade/source/ directory #openssh Download & Unzip wget '/pub/OpenBSD/OpenSSH/portable/openssh-9.' tar zxvf openssh-9. #openssl download&unzip wget /source/old/1.1.1/openssl-1.1. tar zxvf openssl-1.1. #zlib download & unpacking wget /fossils/zlib-1.3. tar zxvf zlib-1.3.
#Compile zlib cd /opt/ssh-upgrade/source/zlib-1.3.1 configurePossible errors Checking for gcc... Compiler error reporting is too harsh for ./configure (perhaps remove -Werror). ** ./configure aborting. This is where the software needs to be installed yum install -y gcc gcc-c++ ./configure --prefix=/opt/ssh-upgrade/zlib make && make install
#compile openssl # Backup configuration cp -rf /etc/ssl/ /opt/ssh-upgrade/config_bak/ssl cd /opt/ssh-upgrade/source/openssl-1.1.1w ./config --prefix=/opt/ssh-upgrade/openssl/ --openssldir=/opt/ssh-upgrade/openssl/ shared make && make install ln -sf /opt/ssh-upgrade/openssl/bin/openssl /usr/bin/openssl ln -sf /opt/ssh-upgrade/openssl/include/openssl /usr/include/openssl echo '/opt/ssh-upgrade/openssl/lib' >> /etc// ldconfig
# Compile openssh # Backup configuration cp -rf /etc/ssh/ /opt/ssh-upgrade/config_bak/ssh cd /opt/ssh-upgrade/source/openssh-9.8p1 ./configure --prefix=/opt/ssh-upgrade/openssh/ --sysconfdir=/opt/ssh-upgrade/openssh/ssh/ --with-openssl-includes=/opt/ssh-upgrade/openssl/include/ --with-ssl-dir=/opt/ssh-upgrade/openssl/ --with-zlib=/opt/ssh-upgrade/zlib/ --with-md5-passwords --without-openssl-header-check make && make install ln -sf /opt/ssh-upgrade/openssh/sbin/sshd /usr/sbin/sshd ln -sf /opt/ssh-upgrade/openssh/bin/ssh /usr/bin/ssh ln -sf /opt/ssh-upgrade/openssh/bin/ssh-add /usr/bin/ssh-add ln -sf /opt/ssh-upgrade/openssh/bin/ssh-agent /usr/bin/ssh-agent ln -sf /opt/ssh-upgrade/openssh/bin/ssh-keygen /usr/bin/ssh-keygen ln -sf /opt/ssh-upgrade/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan # Restore configuration cp -rf /opt/ssh-upgrade/config_bak/ssh /etc/ssh/ # Add boot-up and all that chkconfig --add sshd chkconfig sshd on systemctl enable systemctl restart sshd systemctl status sshd
Unexpectedly, then the accident happened, the network flashed off a bit, and then the machine can not be connected, because it is a test machine with the intranet to practice, so that did not open the telnet did not find the administrator to do a snapshot, can only find the administrator to find the hard way to the console into the machine to see what the situation, the administrator guessed that the ssh service did not start successfully lead to, but through the systemctlstatus sshd found that the service is not a problem, the probability is that the configuration of the problem, the Internet said more /etc/ssh/sshd_config in the PermitRootLogin yes did not turn on the result, but check the configuration is not a problem, there is a voice deep inside the hidden "reboot a hand! I have a voice inside me that says "reboot and see", but it doesn't work.
3.5 Review
After calming down, I examined the previously executed commands line by line, and one detail aroused my suspicion, together with the following.
./configure --prefix=/opt/ssh-upgrade/openssh/ --sysconfdir=/opt/ssh-upgrade/openssh/ssh/ --with-openssl-includes=/opt/ssh-upgrade/openssl/include/ --with-ssl-dir=/opt/ssh-upgrade/openssl/ --with-zlib=/opt/ssh-upgrade/zlib/ --with-md5-passwords --without-openssl-header-check
--sysconfdir=/opt/ssh-upgrade/openssh/ssh/, this parameter specifies the location of the configuration file as /opt/ssh-upgrade/openssh/ssh/ssh/, so it's useless to restore the configuration file I backed up at the very beginning to /etc/ssh/ssh/, so the solution is very simple! The solution is simple: turn on PermitRootLogin yes in /opt/ssh-upgrade/openssh/ssh/sshd_config.
Make sure you understand the information you find online and don't execute it sparingly.
4. Upgrade MySql
MySql upgrade is relatively simple, there are ready-made packages, download and execute them.
4.1 Downloading the 5.7.44 installation package
/archives/mysql-5.7/mysql-5.7.44-1.el7.x86_64.
4.2 Backup
Configuration files and data
cp /etc/ /data/back/my.cnf_0807 mysqldump -uroot -p'xxx' --all-databases>/data/back/sqlfiles_0807.sql
4.3 Discontinuation of the database
systemctl stop mysqld
4.4 Upgrading with Uvh
rpm -Uvh mysql-community-common-5.7.44-1.el7.x86_64.rpm --nodeps rpm -Uvh mysql-community-libs-5.7.44-1.el7.x86_64.rpm --nodeps rpm -Uvh mysql-community-libs-compat-5.7.44-1.el7.x86_64.rpm --nodeps rpm -Uvh mysql-community-devel-5.7.44-1.el7.x86_64.rpm --nodeps rpm -Uvh mysql-community-client-5.7.44-1.el7.x86_64.rpm --nodeps rpm -Uvh mysql-community-server-5.7.44-1.el7.x86_64.rpm --nodeps
4.5 Starting mysqld
service mysqld restart
4.6 Check for updates
mysql_upgrade -uroot -p
Reference /doc/refman/5.7/en/
4.7 Restarting mysql
systemctl restart mysqld
5. Write at the end
Originally quite a lot of feelings and negative emotions want to express a bit, but really get things done when it seems to be a kind of "not to things, not to their own sadness" mentality, old? Being old? Reconciled with myself?
When you reach middle age, you know it all!