心之所向,皆可身往。

### 添加用户到sudoers
$ chmod u+w /etc/sudoers
$ vi /etc/sudoers
## Allow root to run any commands anywhere
telnet  ALL=(ALL)       ALL
$ chmod u-w /etc/sudoers
$ sudo su root

1.系统环境:CentOS Linux release 7.7.1908 (Core)
2.ssh 版本:OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
3.禁止scp
$ rpm -qa|grep openssh-*
$ yum remove openssh-clients -y
4.重启sshd服务
$ systemctl restart sshd.service

### 删除旧版
$ rpm -qa|grep openssh
$ rpm -e --nodeps openssh-server-7.4p1-21.el7.x86_64
$ rpm -e --nodeps openssh-7.4p1-21.el7.x86_64
 
5. 禁止sftp服务
修改sshd配置文件 /etc/ssh/sshd.config
$ vi /etc/ssh/sshd.config
将  # Subsystem sftp /usr/libexec/openssh/sftp-server  信息前面加上"#"
6.重启sshd服务
$ systemctl restart sshd.service

$ mv /etc/ssh/ /etc/ssh.bak
$ yum install gcc* make zlib zlib-devel openssl openssl-devel perl pam pam-devel -y
$ ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include/ --with-ssl-dir=/usr/local/ssl/ --with-zlib --with-md5-passwords --with-pam
$ make && make install
启动
$ /usr/sbin/sshd
$ ps -ef|grep sshd

安装telnet备用(dropbear)
1.安装
$ yum install telnet telnet-server -y
2.启动
$ systemctl enable telnet.socket
$ systemctl start telnet.socket
3.连接
# telnet 默认禁止root用户连接,我们先生成一个普通用户 
$ useradd telnet
$ passwd telnet

### Nginx 编译安装
$ ./configure \
  --prefix=/usr/local/nginx-1.20.1 \
  --user=nginx \
  --group=nginx \
  --with-http_ssl_module \
  --with-http_realip_module \
  --with-http_addition_module \
  --with-poll_module \
  --with-http_sub_module \
  --with-http_dav_module \
  --with-http_flv_module \
  --with-http_mp4_module \
  --with-http_gunzip_module \
  --with-http_gzip_static_module \
  --with-http_random_index_module \
  --with-http_secure_link_module \
  --with-http_stub_status_module \
  --with-http_auth_request_module \
  --with-http_v2_module \
  --with-mail \
  --with-mail_ssl_module \
  --with-file-aio \
  --with-threads \
  --with-stream \
  --with-stream_ssl_module \
  --with-openssl=../openssl-1.1.1g \
  --with-pcre=../pcre-8.44 \
  --with-zlib=../zlib-1.2.11 \
$ make & make install
$ useradd -s /sbin/nologin -M nginx
$ netstat -tlunp | grep nginx

升级openssl
$ openssl version -a
备份
$ mv /usr/bin/openssl /usr/bin/openssl_old
安装
$ tar xzvf openssl-1.1.1g.tar.gz
$ cd openssl-1.1.1g/
$ ./config shared && make && make install
配置软连接
$ ln -s /usr/local/bin/openssl /usr/bin/openssl
如果执行openssl version报下面的错误

openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
则执行下面命令解决:

$ ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/
$ ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/
旧版本:

$ openssl_old version
OpenSSL 1.0.2k-fips  26 Jan 2017

### 升级openssh
# centos8 
$ yum update openssh -y
# 重启sshd
$ systemctl restart sshd
下载最新包
$ wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
$ wget https://ftp.openssl.org/source/openssl-1.1.1g.tar.gz
安装所需依赖
$ yum install zlib-devel openssl-devel pam-devel -y
备份
$ mkdir /etc/ssh_old
$ mv /etc/ssh/* /etc/ssh_old/
解压、编译安装
$ tar xzvf openssh-8.2p1.tar.gz 
$ cd openssh-8.2p1/

$ ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/lib64/ --with-zlib --with-pam --with-md5-password --with-ssl-engine --with-selinux

# 安装
$ make && make install

# 验证
$  ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1g  21 Apr 2020

$ ls /etc/ssh
moduli  ssh_config  sshd_config  ssh_host_dsa_key  ssh_host_dsa_key.pub  ssh_host_ecdsa_key  ssh_host_ecdsa_key.pub  ssh_host_ed25519_key  ssh_host_ed25519_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub
配置
1.修改sshd_config

$ vim /etc/ssh/sshd_config

# 例子:配置root登录,   根据你以前的配置来
PermitRootLogin yes
2.启动

# 移走以前的ssh服务, 防止与新的冲突
$ mv /usr/lib/systemd/system/sshd.service /etc/ssh_old/sshd.service
$ mv /usr/lib/systemd/system/sshd.socket /etc/ssh_old/sshd.socket

# 在解压包中拷贝一些文件
$ cp -a contrib/redhat/sshd.init /etc/init.d/sshd

# 重新启动
$ /etc/init.d/sshd restart
$ systemctl daemon-reload

# 添加自启动
$ chkconfig --add sshd
$ chkconfig sshd on
可能碰到的问题:
/etc/init.d/sshd restart之后报错
Reloading systemd:                                         [  确定  ]
Restarting sshd (via systemctl):  Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
                                                           [失败]
是selinux导致,需要关闭

# 临时修改
setenforce 0
# 永久修改
sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
# 重启
/etc/init.d/sshd restart