经常有客户反馈服务器漏洞，主要是openssl、openssh，做个记录分享。

编译环境准备

apt update -y
apt install build-essential libpam0g-dev libsystemd-dev -y

zlib

cd /usr/local/src/
wget https://www.zlib.net/zlib-1.3.1.tar.gz
tar xvf zlib-1.3.1.tar.gz
cd zlib-1.3.1/
./configure
make && make install

openssl

cd /usr/local/src/
wget https://www.openssl.org/source/openssl-3.0.13.tar.gz
tar xvf openssl-3.0.13.tar.gz
cd openssl-3.0.13
./config shared zlib --prefix=/usr/local/ssl 
make && make install
mkdir /usr/local/backup
mv /usr/bin/openssl /usr/local/backup
cp /usr/local/ssl/bin/openssl /usr/bin/
cp -rp /usr/local/ssl/share/* /usr/share/
echo "/usr/local/ssl/lib64" > /etc/ld.so.conf.d/ssl.conf
ldconfig
openssl version

openssh

#下载准备
cd /usr/local/src/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz --no-check-certificate
tar xvf openssh-9.6p1.tar.gz
cd openssh-9.6p1
./configure --prefix=/usr/local/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl

#支持systemd
sed -i '129a\#include <systemd/sd-daemon.h>' sshd.c
sed -i '2095a\        /* Signal systemd that we are ready to accept connections */' sshd.c
sed -i '2096a\        sd_notify (0, "READY=1");' sshd.c
sed -i 's|^LIBS=.*|LIBS=-lcrypto -ldl -lutil -lz -lcrypt -lresolv -lsystemd|' Makefile

#编译
make && make install

#备份
mkdir /usr/local/backup
cp /usr/bin/scp /usr/local/backup
cp /usr/bin/sftp /usr/local/backup
cp /usr/bin/ssh* /usr/local/backup
cp /usr/sbin/sshd /usr/local/backup

#替换
cd /usr/local/ssh
cp bin/* /usr/bin
rsync -av sbin/* /usr/sbin
cp -rp share/man/* /usr/share/man
systemctl restart ssh

#如果systemctl启动失败
sshd -T
mkdir /var/empty
systemctl restart ssh

#验证
ssh -V
sshd -V
systemctl status ssh