服务器升级记录

最近学校的服务器被信息中心检测出来有很多高危漏洞,给了个通知限期整改。
主要修改了
openssh
vnc
apache
mysql
记录如下:

openssh

1
2
3
4
5
wget https://mirrors.syringanetworks.net/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
cd openssh-7.5p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd
make
make install

一些辅助工作

1
2
3
4
5
6
7
install -v -m755    contrib/ssh-copy-id /usr/bin 
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -v -m755 -d /usr/share/doc/openssh-7.5p1
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.5p1

cp -p contrib/RedHat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd

修改 ssh的配置

1
2
3
4
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
或者直接进去修改
vim /etc/ssh/sshd_config

启动和开机启动

1
2
3
4
service sshd restart
chkconfig --add sshd
chkconfig sshd on
chkconfig --list |grep sshd

大功告成

vnc

关闭就ok了

1
service vncserver stop

apache httpd

将旧版本的httpd 升级到2.4.33

1
2
3
4
5
6
7
8
9
10
11
12
wget http://ftp.tsukuba.wide.ad.jp/software/apache//apr/apr-1.6.3.tar.gz
wget http://ftp.yz.yamagata-u.ac.jp/pub/network/apache//apr/apr-util-1.6.1.tar.gz
tar xzvf apr-1.6.3.tar.gz
mv apr-1.6.3 httpd-2.4.33/srclib/apr
tar xzvf apr-util-1.6.1.tar.gz
mv apr-util-1.6.1 httpd-2.4.33/srclib/apr-util
cd httpd-2.4.33
./configure --prefix=/usr/local/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --with-zlib --with-pcre --with-included-apr --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork
make
make install
cp /usr/local/httpd24/bin/apachectl /etc/init.d/httpd24
service httpd24 restart

设置开机启动

vim 打开 /etc/init.d/httpd24 , 然后再第二行加上下面这两行

1
2
3
# chkconfig:   2345 90 10

# description: myservice

之后

1
2
3
chkconfig --add httpd24
chkconfig httpd24 on
chkconfig --list

遇到的坑

httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName

在安装目录下找到httpd.conf(我这里就是/usr/local/httpd24/conf/httpd.conf ),把ServerName www.example.com:80 前面的#去掉再重启就ok了。

mysql

将旧版本的mysql升级到8.0版本,参照该处

1
2
3
4
yum localinstall https://dev.mysql.com/get/mysql57-community-release-el6-11.noarch.rpm
yum --enablerepo=mysql80-community install mysql-community-server
service mysqld start
chkconfig --levels 235 mysqld on

之后就是配置mysql数据库了,注意到在执行 service mysqld start 的时候。屏幕上会显示出一个临时的root 密码

A temporary password is generated for root@localhost: V9R.Blr:baQH

用这个密码登录后执行

1
ALTER USER 'root'@'localhost' IDENTIFIED BY 'root123'

如果出现

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

说明密码太简单不符合要求,设置一本复杂的就行。如果实在嫌麻烦,先修改后,输入这样的代码先查看进行密码检查的变量,再根据需要修改这些变量。

1
2
SHOW VARIABLES LIKE 'validate_password%'; 
set global validate_password_length=3;