分类 技术 下的文章

CentOS7升级OpenSSH

服务器在安全扫描中被报告openssh版本低于7.7,存在安全漏洞,需要升级,于是就开始折腾。

1.安装依赖

yum install -y pam pam-devel zlib zlib-devel gcc make

2.备份配置文件

cp /etc/ssh/sshd_config /root/sshd_config.bak

3.删除老版本openssl和openssh 【注意】删除openssl后sudo报错,需先以root身份登录

rpm -e --nodeps `rpm -qa|grep openss` 

4.下载新版openssl和openssh
下载1.0.X版本的openssl
下载最新版本openssh

5.安装openssl

unzip openssl_XXXX.zip
cd openssl_XXXX
./config --prefix=/usr --shared && make && make install
ln -s /usr/lib64/libcrypto.so.1.0.0  /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libssl.so.1.0.0  /usr/lib64/libssl.so.10
chmod -R 644 /usr/ssl

6.升级openssh

cp -R /etc/ssh/ /root/ssh-bak
tar -zxvf openssh_XXX.tar.gz
cd openssh_XXX
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
cp /root/sshd_config.bak /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd on
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

7.将以下写入/etc/pam.d/sshd

auth required pam_sepermit.so 
auth include password-auth 
account required pam_nologin.so 
account include password-auth 
password include password-auth 
# pam_selinux.so close should be the first session rule 
session required pam_selinux.so close 
session required pam_loginuid.so 
# pam_selinux.so open should only be followed by sessions to be executed in the user context 
session required pam_selinux.so open env_params 
session optional pam_keyinit.so force revoke 
session include password-auth

8.重启sshd服务

systemctl restart sshd

Ubuntu下添加开机启动脚本

  • 在 /etc/init.d/ 下新建.sh文件
#!/bin/bash
### BEGIN INIT INFO
# Provides:          www.talktome.mobi
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: ChatWSS
# Description:       Chat WSS (Websocket over ssl) Service
### END INIT INFO
php /var/www/XXX.php start -d

exit 0
  • 设置脚本权限
    chmod 755 /etc/init.d/XXX.sh
  • 加载启动脚本
cd /etc/init.d 
sudo update-rc.d XXX.sh defaults 95
  • 卸载启动脚本
cd /etc/init.d 
sudo update-rc.d -f XXX.sh remove

生成CA和服务器证书

一、生成ca证书
a) 创建一个证书目录,mkdir /home/ubuntu/SSL
b) 将CA.sh拷贝到/home/ubuntu/SSL目录,cp /usr/lib/ssl/misc/CA.sh /home/ubuntu/SSL
c) ./CA.sh -newca
d) 根据提示填写信息完成后,在demoCA下会生成证书文件,其中demoCA/private/cakey.pem为ca证书私钥,demoCA/cacert.pem为ca根证书。

二、生成服务器证书
a) 生成私钥: openssl genrsa -des3 -out server.key 1024
b) 生成csr文件: openssl req -new -key server.key -out server.csr
c) 生成证书&签名: openssl ca -in server.csr -out server.crt

三、生成客户端证书
a) 生成私钥: openssl genrsa -des3 -out client.key 1024
b) 生成csr文件: openssl req -new -key client.key -out client.csr
c) 生成证书&签名: openssl ca -in client.csr -out client.crt

四、生成不带密码验证的
如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件
openssl rsa -in server.key -out server.key.unsecure

安卓WSS客户端

  • 在app模块build.gradle中添加依赖
compile 'org.java-websocket:Java-WebSocket:1.3.0'
  • 实现WebSocketClien接口
public class WSS extends WebSocketClient {

    public static WSS newInstance(){
        WSS wss = null;
        try{
            wss = new WSS(new URI(Config.CHAT_SOCKET_ADDR));
        }catch (Exception e){
        }
        return wss;
    }

    public WSS(URI uri){
        super(uri);
        TrustManager[] trustAllCerts = new TrustManager[] { new TrustManager()};
        try{
            SSLContext sc = SSLContext.getInstance("TLS");
            sc.init(null, trustAllCerts, new java.security.SecureRandom());
            setWebSocketFactory(new DefaultSSLWebSocketClientFactory(sc));
        }catch (Exception ignored){}
    }

    @Override
    public void onOpen(ServerHandshake handshakedata) {
    }

    @Override
    public void onMessage(String message) {
    }

    @Override
    public void onError(Exception ex) {
    }

    @Override
    public void onClose(int code, String reason, boolean remote) {
    }
}
  • 实现X509TrustManager
public class TrustManager implements X509TrustManager {

    private Certificate ca = null;

    public TrustManager(){
        try{
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            InputStream caInput = new BufferedInputStream(MyApplication.getApplication().getAssets().open("ca.crt"));
            try {
                ca = cf.generateCertificate(caInput);
            }finally {
                caInput.close();
            }
        } catch (CertificateException e1){
            e1.printStackTrace();
        } catch (IOException e2){
            e2.printStackTrace();
        }
    }

    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return new java.security.cert.X509Certificate[] {};
    }

    public void checkClientTrusted(X509Certificate[] chain,
                                   String authType) throws CertificateException {
    }

    public void checkServerTrusted(X509Certificate[] chain,
                                   String authType) throws CertificateException {
        for (X509Certificate cert : chain) {
            cert.checkValidity();
            try {
                cert.verify(((X509Certificate) ca).getPublicKey());
            } catch (NoSuchAlgorithmException e) {
                e.printStackTrace();
            } catch (InvalidKeyException e) {
                e.printStackTrace();
            } catch (NoSuchProviderException e) {
                e.printStackTrace();
            } catch (SignatureException e) {
                e.printStackTrace();
            }
        }
    }
}

Nginx反向代理慢解决办法

在配置nginx反向代理时upstream里面server用localhost:端口,非常慢,看log,默认将localhost解析成ipv6的地址,故出现此问题,改成127.0.0.1后问题解决。
后端被代理网络应用使用Delphi开发