前言
针对某托管平台分配的4台虚拟服务器,操作系统统信UOS(debian)服务器发现高危漏洞 并修复。
OpenSSH 命令注入漏洞(CVE-2020-15778) / OpenSSH 安全漏洞(CVE-2021-41617) / OpenSSH 输入验证错误漏洞(CVE-2019-16905) 的修复办法。
图1
将离线补丁包上传到服务器,运行 dpkg -i 包名.deb 依次安装补丁包,安装顺序为client,sftp,server 。
资源包:
开源镜像站下载地址: debian安装包下载_开源镜像站-阿里云
仓库名:debian
发行版:buster 适用于debian10
架构:arm64
相关仓库
- Debian安装源(debian-cd):debian-cd镜像_debian-cd下载地址_debian-cd安装教程-阿里巴巴开源镜像站
- Debian安全更新源(debian-security):debian-security镜像_debian-security下载地址_debian-security安装教程-阿里巴巴开源镜像站
- Debian第三方多媒体软件源(debian-multimedia):debian-multimedia镜像_debian-multimedia下载地址_debian-multimedia安装教程-阿里巴巴开源镜像站
- Debian预发软件源(debian-backports):debian-backports镜像_debian-backports下载地址_debian-backports安装教程-阿里巴巴开源镜像站
- Debian其他架构移植源(debian-ports):debian-ports镜像_debian-ports下载地址_debian-ports安装教程-阿里巴巴开源镜像站
- Debian过期源(debian-archive):debian-archive镜像_debian-archive下载地址_debian-archive安装教程-阿里巴巴开源镜像站
root# cat /etc/debian_version
10.3
root# uname -a
Linux 4.19.0-arm64-server #3211 SMP Thu Apr 15 10:21:53 CST 2021 aarch64 GNU/Linux
root# cat /etc/apt/sources.list //debian10版本镜像源如下
deb https://mirrors.aliyun.com/debian/ buster main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ buster main non-free contrib
deb https://mirrors.aliyun.com/debian-security buster/updates main
deb-src https://mirrors.aliyun.com/debian-security buster/updates main
deb https://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb https://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
deb-src https://mirrors.aliyun.com/debian/ buster-backports main non-free contribroot@V01:~/data/Patch-20230608# dpkg -i openssh-client_7.9p1.10-deepin1_arm64.deb
(Reading database ... 156351 files and directories currently installed.)
Preparing to unpack openssh-client_7.9p1.10-deepin1_arm64.deb ...
Unpacking openssh-client (1:7.9p1.10-deepin1) over (1:7.9p1.1-1+dde) ...
Setting up openssh-client (1:7.9p1.10-deepin1) ...
Processing triggers for man-db (2.8.5-2) ...
root@V01:~/data/Patch-20230608# dpkg -i openssh-sftp-server_7.9p1.10-deepin1_arm64.deb
(Reading database ... 156351 files and directories currently installed.)
Preparing to unpack openssh-sftp-server_7.9p1.10-deepin1_arm64.deb ...
Unpacking openssh-sftp-server (1:7.9p1.10-deepin1) over (1:7.9p1.10-deepin1) ...
Setting up openssh-sftp-server (1:7.9p1.10-deepin1) ...
Processing triggers for man-db (2.8.5-2) ...
root@V01:~/data/Patch-20230608# dpkg -i openssh-server_7.9p1.10-deepin1_arm64.deb
(Reading database ... 156351 files and directories currently installed.)
Preparing to unpack openssh-server_7.9p1.10-deepin1_arm64.deb ...
Unpacking openssh-server (1:7.9p1.10-deepin1) over (1:7.9p1.1-1+dde) ...
Setting up openssh-server (1:7.9p1.10-deepin1) ...在安装server包时,这里配置文件会提示如下,选择第二个保持当前安装的本地版本。
图2
全部安装完毕后,重新再对四台服务器进行漏扫,发现高、中危漏洞都已修复。
图3
验证服务器漏洞修复状态
apt-get changelog openssh-server | grep CVE
图4
关于升级到修复版本后,漏洞再次扫描出漏洞信息,是因为扫描方法的原因,即通过公开的漏洞信息描述判断,而同一个漏洞在不同的linux或不同的操作系统中的情况可能不一样,各个操作系统亦有各自的维护策略,而不能单一地通过公开的漏洞信息描述去判断,因此通过启用服务器的ufw防火墙,限制端口的形式来做策略即可实现修复漏洞。
sudo ufw allow 111/tcp
sudo ufw allow 6888/tcp
sudo ufw allow 2049/tcp
sudo ufw allow 54321/tcp
ufw allow from *.*.26.221 to any port 22
ufw allow from *.*.27.116 to any port 22
ufw allow from *.*.27.61 to any port 22
ufw allow from *.*.29.82 to any port 22
ufw allow from *.*.29.61 to any port 22
ufw allow from 192.168.21.11 to any port 22
ufw allow from 192.168.21.7 to any port 22
ufw allow from 192.168.21.17 to any port 22
ufw allow from 192.168.21.14 to any port 22
ufw deny 22/tcp
sudo ufw enable
sudo ufw status删除ufw 钟 22 any策略如下(记得提前先放行允许访问的IP):
root:/# sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN Anywhere
[ 2] 6888 ALLOW IN 192.168.21.0/24
[ 3] 6888 ALLOW IN *.*.29.0/24
[ 4] 6888 ALLOW IN *.*.27.0/24
[ 5] 111/tcp ALLOW IN Anywhere
[ 6] 6888/tcp ALLOW IN Anywhere
[ 7] 2049/tcp ALLOW IN Anywhere
[ 8] 54321/tcp ALLOW IN Anywhere
[ 9] 22 ALLOW IN *.*.26.220
[10] 22 ALLOW IN *.*.26.221
[11] 22 ALLOW IN *.*.26.222
[12] 22 ALLOW IN *.*.26.220
[13] 22 ALLOW IN *.*.26.221
[14] 22 ALLOW IN *.*.26.222
[15] 22 ALLOW IN *.*.27.116
[16] 22 ALLOW IN *.*.27.61
[17] 22 ALLOW IN *.*.29.82
[18] 22 ALLOW IN *.*.29.61
[19] 22 ALLOW IN 192.168.21.11
[20] 22 ALLOW IN 192.168.21.7
[21] 22 ALLOW IN 192.168.21.17
[22] 22 ALLOW IN 192.168.21.14
[23] 22/tcp DENY IN Anywhere
[24] 22 (v6) ALLOW IN Anywhere (v6)
[25] 111/tcp (v6) ALLOW IN Anywhere (v6)
[26] 6888/tcp (v6) ALLOW IN Anywhere (v6)
[27] 2049/tcp (v6) ALLOW IN Anywhere (v6)
[28] 54321/tcp (v6) ALLOW IN Anywhere (v6)
[29] 22/tcp (v6) DENY IN Anywhere (v6)
root:/# sudo ufw delete 1
Deleting:
allow 22
Proceed with operation (y|n)? y
Rule deleted
root:/#附:最新漏扫图
图5
附件:统信UOS(debian)telnet离线包
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
