搜索到
9
篇与
的结果
-
![linuxea:openssl和openssh[CVE-2021-3711]修复](https://unpkg.com/typecho-joe-next@6.0.0/assets/img/lazyload.jpg)
linuxea:openssl和openssh[CVE-2021-3711]修复 修复了 SM2 解密缓冲区溢出。[CVE-2021-3711])Changes between 1.1.1k and 1.1.1l [24 Aug 2021] Fixed an SM2 Decryption Buffer Overflow. In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. ([CVE-2021-3711]) Matt Caswell1.1.1m 避免两次加载动态引擎。Changes between 1.1.1l and 1.1.1m [xx XXX xxxx] Avoid loading of a dynamic engine twice. Bernd Edlinger Prioritise DANE TLSA issuer certs over peer certs Viktor Dukhovni Fixed random API for MacOS prior to 10.12 These MacOS versions don't support the CommonCrypto APIs Lenny Primakopenssl小版本,比如修复什么小bug,单并不影响稳定性是按照字母顺序进行排版本比如: 1.1.1l到1.1.1m,我门可以查看他的历史版本,最新的版本已经升级到3.0.1依赖包,也可以用做离线使用yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs lrzszhttps://www.openssl.org/source/snapshot/opensslrpmrpm包下载: https://github.com/philyuchkoff/openssl-RPM-Builder/releasesrpm -e --justdb --nodeps openssl-libs rpm -e --justdb --nodeps openssl-1:1.0.2k rpm -ivvh openssl-1.1.1m-1.el7.x86_64.rpm --nodeps openssl version推荐编译安装openssl-1.1.1lhttps://www.openssl.org/source/openssl-1.1.1l.tar.gz https://www.openssl.org/source/snapshot/openssl-1.1.1-stable-SNAP-20220120.tar.gz mv /usr/bin/openssl{,.bak} mv /usr/include/openssl{,.bak} cd /usr/local/openssl-1.1.1m/ ./config shared && make && make installopenssl-1.1.1mhttps://www.openssl.org/source/openssl-1.1.1m.tar.gzwget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1m.tar.gz tar xf openssl-1.1.1m.tar.gz -C /usr/local/ mv /usr/bin/openssl{,.bak} mv /usr/include/openssl{,.bak} cd /usr/local/openssl-1.1.1m ./config shared && make && make install链接ll /usr/local/bin/openssl ll -d /usr/local/include/openssl/ ln -s /usr/local/bin/openssl /usr/bin/openssl ln -s /usr/local/include/openssl/ /usr/include/openssl ll /usr/bin/openssl ll -d /usr/include/openssl echo "/usr/local/lib64" >> /etc/ld.so.conf /sbin/ldconfig openssl version openssl version -aopenssh安装依赖包yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel pcre-devel pam-devel openssl openssl-devel openssl-libs配置必要的编译选项mv /etc/ssh{,.bak} mkdir /usr/local/openssh curl -Lk https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz |tar xz -C ./ cd openssh-8.7p1/ ./configure --prefix=/usr/local/openssh \ --sysconfdir=/etc/ssh \ --with-openssl-includes=/usr/local/include \ --with-ssl-dir=/usr/local/lib64 \ --with-zlib \ --with-md5-passwords \ --with-pam && \ make && \ make install简单的配置下sshdecho "UseDNS no" >> /etc/ssh/sshd_config echo "Port 6789" >> /etc/ssh/sshd_config echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config mv /usr/sbin/sshd{,.bak} mv /usr/bin/ssh{,.bak} mv /usr/bin/ssh-keygen{,.bak} ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd ssh -V配置开机启动systemctl disable sshd --now mv /usr/lib/systemd/system/sshd.service{,.bak} systemctl daemon-reload \cp -a contrib/redhat/sshd.init /etc/init.d/sshd \cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam chkconfig --add sshd systemctl enable sshd --now systemctl start sshd ssh -V -
linuxea:局域网ntp和chronyd时间同步的简单配置 在某些环境下,我们需要ntp服务器,同时我们可能还需要配置chronyd来同步我们的节点时间,而在k8s的环境中,服务器的时间是需要同步的,并且在一些警报中是会检测,为了解决这个问题,在一些局域网内没有互联网的情况下,就需要手动配置ntp通过yum install 方式来安装ntp服务,而后我们配置一个server 192.168.5.26 iburstprefer:优先使用该时间服务器burst:当一个运程NTP服务器可用时,向它发送一系列的并发包进行检测。iburst:当一个运程NTP服务器不可用时,向它发送一系列的并发包进行检测。“iburst” 选项作用是如果在一个标准的轮询间隔内没有应答,客户端会发送一定数量的包(八个包而不是通常的一个)给 NTP 服务器。如果在短时间内呼叫 NTP 服务器几次,没有出现可辨识的应答,那么本地时间将不会变化通常情况,大多数只是在没有公网环境的情况下配置一个内网的,小局域网内的一个环境使用/etc/ntp.confdriftfile /var/lib/ntp/ntp.drift statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable server ntp1.aliyun.com prefer server 192.168.5.26 iburst server ntp.aliyun.com prefer server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst #server ntp.ubuntu.com server 127.127.1.0 fudge 127.127.1.0 stratum 5 restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 17.168.0.0 mask 255.255.255.0 nomodify restrict 127.0.0.1 restrict ::1 #https://www.jianshu.com/p/e5e486c8e365而后开启即可systemctl start ntpd systemctl enable ntpdchronydChrony是一个开源的自由软件,如果在chrony配置文件中指定了ntp服务器的地址,那么chrony就是一台客户端,会去同步ntp服务器的时间,如果在chrony配置了允许某些客户端来向自己同步时间,则chrony也充当了一台服务器,所以,安装了chrony即可充当客户端也可以充当服务端。Chrony有两个核心组件,分别是:chronyd:是守护进程,主要用于调整内核中运行的系统时间和时间服务器同步。它确定计算机增减时间的比率,并对此进行调整补偿。chronyc:提供一个用户界面,用于监控性能并进行多样化的配置。它可以在chronyd实例控制的计算机上工作,也可以在一台不同的远程计算机上工作。ntpd同步时间某些时候需要长时间来同步时间,在Centos7中的chrony也实现时间同步hrony兼容ntpd监听在udp123端口上,另外还监听在udp的323端口上。我们通过yum install -y chrony进行安装通常k8s在时间同步上是使用的是chronyd来判断的,NTP synchronized,如下~ # timedatectl Local time: 五 2021-10-29 15:05:00 CST Universal time: 五 2021-10-29 07:05:00 UTC RTC time: 五 2021-10-29 07:05:09 Time zone: Asia/Shanghai (CST, +0800) NTP enabled: yes NTP synchronized: no RTC in local TZ: no DST active: n/a我们停掉ntpd systemctl stop ntpd cp /etc/chrony.conf{,.bak} systemctl stop ntpd配置一个基于阿里云ntp.aliyun.com的chrony的地址,我们假设上面的ntp就是chrond要使用的服务器,如下cp /etc/chrony.conf{,.bak} cat > /etc/chrony.conf << EOF server 192.168.5.26 server ntp1.aliyun.com server ntp2.aliyun.com driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony EOF systemctl enable --now chronyd systemctl restart chronyd chronyc activity chronyc sources firewall-cmd --add-service=ntp --permanent firewall-cmd --reload而后配置开机启动,兵重启systemctl enable --now chronyd systemctl restart chronyd chronyc activity chronyc sources firewall-cmd --add-service=ntp --permanent firewall-cmd --reload查看她的状态[root@linuxea.com ~]# chronyc activity 200 OK 1 sources online 0 sources offline 0 sources doing burst (return to online) 0 sources doing burst (return to offline) 0 sources with unknown address [root@linuxea.com ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^? 17.168.0.165 3 6 3 12 -4527us[-4527us] +/- 51ms[root@linuxea.com ~]# chronyc sources -v 210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 17.168.0.165 3 6 7 14 -5642ns[ -33.3s] +/- 62ms[root@linuxea.com ~]# chronyc tracking Reference ID : 11A800A5 (17.168.0.165) Stratum : 4 Ref time (UTC) : Fri Oct 29 07:09:14 2021 System time : 0.000000000 seconds slow of NTP time Last offset : -33.251636505 seconds RMS offset : 33.251636505 seconds Frequency : 10.242 ppm slow Residual freq : -0.000 ppm Skew : 63.129 ppm Root delay : 0.048810445 seconds Root dispersion : 0.042059928 seconds Update interval : 0.0 seconds Leap status : Normal最后我们在观察,这里的NTP synchronized: 已经是yes`状态[root@linuxea.com ~]# timedatectl Local time: 五 2021-10-29 15:10:56 CST Universal time: 五 2021-10-29 07:10:56 UTC RTC time: 五 2021-10-29 07:10:32 Time zone: Asia/Shanghai (CST, +0800) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a参考Chrony-替换你的NTP服务
-
ssh链接报Read from socket failed: Connection reset by peer chown www.www /*后出现链接不上Read from socket failed: Connection reset by peer[root@linuxea-com ~]# tail -f /var/log/auth.log 日志中报错type=USER_LOGIN msg=audit(1482840012.303:122122): pid=12106 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)"添加参数 -v 获得更详细的连接信息 ssh user@computerB -v 如果是 rsa and dsa keys 丢失产生的问题, 可以通过下面的方式进行修复:[root@linuxea-com ~]# ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_rsa_key [root@linuxea-com ~]# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key如果还提示Read from socket failed: Connection reset by peer,查看权限是否匹配.ssh的权限位644[root@linuxea-com ~]# ll /root/.ssh/ 总用量 8 -rw-r--r--. 1 root root 1176 12月 27 17:05 authorized_keys -rw-r--r-- 1 root root 174 12月 28 09:46 known_hosts/etc/ssh的权限如下[root@linuxea-com ~]# ll /etc/ssh 总用量 276 -rw-r--r-- 1 root root 242153 3月 22 2016 moduli -rw-r--r-- 1 root root 2208 3月 22 2016 ssh_config -rw-------. 1 root root 4327 4月 15 2016 sshd_config -rw-r-----. 1 root ssh_keys 227 4月 15 2016 ssh_host_ecdsa_key -rw-r--r--. 1 root root 162 4月 15 2016 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys 387 4月 15 2016 ssh_host_ed25519_key -rw-r--r--. 1 root root 82 4月 15 2016 ssh_host_ed25519_key.pub -rw-r-----. 1 root ssh_keys 1675 4月 15 2016 ssh_host_rsa_key -rw-r--r--. 1 root root 382 4月 15 2016 ssh_host_rsa_key.pub [root@linuxea-com ~]# 如果出现找不到匹配的host key算法,我们将/et/ssh目录下的ssh_host_*的所有文件移走,重启sshd即可其他服务,则需要修改目录的权限,和一些pid以及日志的权限
-
-
编译安装bind-9.10.4-P1 1,donwload bind9wget -P /usr/local https://www.isc.org/downloads/file/bind-9-10-4-p1/?version=tar-gz 2,install pkgyum install gcc openssl-devel 3,编译安装 ./configure --prefix=/usr/local/bind --with-openssl=no && make && make install 4,创建用户useradd -r named mkdir /etc/named 5,生存key/usr/local/bind/sbin/rndc-confgen > /etc/named/rndc.conf 6,写入到named.conf中tail -10 /etc/named/rndc.conf | head -9 | sed s/#\ //g > /etc/named/named.conf 7.编辑配置文件vim /etc/named/named.conf#key key "rndc-key" { algorithm hmac-md5; secret "6XeRgStQZy79gFQzKIqW7w=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; #file dir options { directory "/var/named"; pid-file "named.pid"; recursion yes; #forward first; # forwarders { 8.8.8.8;8.8.4.4;114.114.114.114; }; /dns递归 allow-query { any; }; # dnssec-enable yes; # dnssec-validation yes; }; #localhost zone zone "." IN { type hint; file "named.root"; }; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; 8,生成named.rootdig > named.root 9,创建named.local和localhost.zonevim /var/named/named.local$TTL 86400 @ IN SOA localhost. root.localhost. ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS localhost. 1 IN PTR localhost. vim /var/named/localhost.zone$TTL 86400 $ORIGIN localhost. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ 1D IN A 127.0.0.1 10.start/usr/local/bind/sbin/named -c /etc/named/named.conf ss -tlnp|grep :53 LISTEN 0 10 10.10.234.163:53 *:* users:(("named",66025,23)) LISTEN 0 10 127.0.0.1:53 *:* users:(("named",66025,22)) LISTEN 0 10 :::53 :::* users:(("named",66025,21))
![linuxea:openssl和openssh[CVE-2021-3711]修复](https://unpkg.com/typecho-joe-next@6.0.0/assets/thumb/19.jpg)
