vsftpd FTP Server 'ls.c' 远程拒绝服务漏洞(CVE-2011-0762)
OpenSSH J-PAKE授权问题漏洞(CVE-2010-4478)
OpenSSH默认服务器配置拒绝服务漏洞(CVE-2010-5107)
OpenSSH glob表达式拒绝服务漏洞(CVE-2010-4755)
NTP 的漏洞规避方法只要在/etc/ntp.conf中加一句：disable monitor即可。


绿盟扫描报有漏洞，焦头烂额了无奈服务器过多，一台一台安装显得辛苦了点，毕竟安装完之后还要修改配置文件一个人搞不晓得要搞几天，写个脚本来安装和配置，纯图省事，这破脚本还写了我一天多，见笑，水平有限。
每个人的环境都不一样，我只针对自己环境写的，只限于以下版本
vsftpd-2.0.7-4.17.1
openssh-5.1p1-41.31.36
ntp-4.2.4p8-1.3.28"
升级到：
ntp-4.2.6p5
openssh-6.5p1
vsftpd-3.0.2




#!/bin/bash
#newjoyful@163.com
#set -x
#check version
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~check ntp、ssh、vsftpd version! ~~~~~~~~~~~~~~~~~~~~~~~~~~"
version()
{
echo "The current version"
echo "vsftpd-2.0.7-4.17.1"
echo "openssh-5.1p1-41.31.36"
echo "ntp-4.2.4p8-1.3.28"
}
#


ftpversion ()
{
ftpver=vsftpd-2.0.7-4.17.1
if [ $ftpver != `rpm -qa |grep vsftpd` ]
then
        echo "Detection of FTP version not is $ftpver"
        echo "exit!"
        exit
else
        echo "Detection of FTP version is $ftpver  "
fi
}

sshversion ()
{
sshver=openssh-5.1p1-41.31.36
if [ $sshver != `rpm -qa |grep openssh |head -1` ]
then
        echo "Detection of SSH version not is $sshver"
        echo "exit"
        exit
else
        echo "Detection of SSH version is $sshver "
fi
}


ntpversion ()
{
ntpver=ntp-4.2.4p8-1.3.28
if [ $ntpver != `rpm -qa |grep ntp |head -1` ]
then
        echo "Detection of NTP version not is $ntpver"
        echo "exit"
        exit
else
        echo "Detection of NTP version is $sshver "
fi
}

version
ftpversion
sshversion
ntpversion

echo ""
echo ""
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~get ntp、ssh、vsftpd files! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"

#ftp auto download
#echo "ftp server:192.168.20.45, username:aaaa password:aaaaa,
#echo "ftp directory /"


echo "ftp auto download new file"
echo "Download to the /tmp/packet directory"


ftppackdir ()
{
if [ -d /tmp/packet ]
then
        echo "/tmp/packet directory is exist"
        echo "exit"
        exit
else
        mkdir /tmp/packet
        chmod 777 /tmp/packet
fi
}


download()
{
ftp -n< open 192.168.20.45
user aaaaa aaaaa
binary
cd /
lcd /tmp/packet
prompt
mget *
close
bye
!
}


ftppackdir;
download;


echo ""
echo ""
#update 
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~update ntp、ssh、vsftpd version! ~~~~~~~~~~~~~~~~~~~~~~~~~~"
newntpver=ntp-4.2.6p5
newsshver=openssh-6.5p1
newftpver=vsftpd-3.0.2
updatedir=/tmp/update


echo "1: NTP The new version -> ntp-4.2.6p5"
echo "2: SSH The new version -> openssh-6.5p1"
echo "3: FTP The new version -> vsftpd-3.0.2"
echo "ntp and vsftpd The compiler installation，SSH using the RPM installation"


################################################################
# UPDATE NTP 
#variables
echo ""
echo "1: update NTP from $ntpver to $newntpver"
cp /etc/ntp.conf /etc/ntp.conf.bak
ftpdir=/tmp/packet
mkdir /tmp/update/ntp -p
ntpdir=/tmp/update/ntp/
ntppack=`ls -l /tmp/packet/ |grep ntp |awk '$NF {print $NF}'`
ntpexpname=`ls -l /tmp/update/ntp/ |grep ^d|awk '$NF {print $NF}'`


#cp files to /tmp/update
cd $ftpdir
cp $ntppack $ntpdir


#Decompression ntp packet
cd $ntpdir
tar -xvf $ntppack >/tmp/ntpjieya.log
if [ -f /tmp/ntpjieya.log ]
then
echo "tar -xvf $ntpexpname Decompression success"
else
echo "Decompression Failure"
fi


#The following content into the ntpfile file
echo "#ifndef MOD_NANO" >/tmp/ntpfile
echo "#define MOD_NANO 0x2000" >>/tmp/ntpfile
echo "#endif" >>/tmp/ntpfile


#./configure
cd $ntpdir
cd $ntpexpname


./configure --prefix=/usr/local/ntp --enable-all-clocks --enable-parse-clocks --enable-clockctl >/tmp/ntpconfigurefile
if [ -f /tmp/ntpconfigurefile ]
then
echo "configure success"
else
echo "configure Failure"
exit
fi


#make 
#./ntpd/ntp_loopfilter.c
rm -f /var/tmp/ntp_loopfilter.c.swp
editntp()
{
vim ./ntpd/ntp_loopfilter.c < :10
:r /tmp/ntpfile
:wq
EOF
}
editntp >/tmp/editntp.log >/dev/null 2>&1;


if [ -f /tmp/editntp.log ]
then
echo "edit /ntp_loopfilter.c success"
else
echo "edit /ntp_loopfilter.c failure"
exit
fi


cd $ntpdir/
cd $ntpexpname/
make >/tmp/ntpmake.log >/dev/null 2>&1 
if [ -f /tmp/ntpmake.log ]
then
echo "make success"
else
echo "make failure"
exit
fi


#compiler installation
make install >/tmp/ntpmakeinstall.log >/dev/null 2>&1
if [ -f /tmp/ntpmakeinstall.log ]
then
echo "make install success"
else
echo "make install failure"
exit
fi


#backup old file
ntpproce=`more /var/run/ntp/ntpd.pid`
kill -9 $ntpproce >/dev/null 2>&1
for i in `ls -l /usr/sbin/ntp* |awk '$NF {print $NF}'`
do
cp $i /usr/sbin/$i.bak
done;


#The new version of the file to replace the old version of the file
cp /usr/local/ntp/bin/ntp* /usr/sbin/
cp /etc/ntp.conf.bak /etc/ntp.conf


#add "disable monitor" to /etc/ntp.conf
echo "disable monitor" >/tmp/ntpcfgfile
editntpcfg()
{
vim /etc/ntp.conf < G
:r /tmp/ntpcfgfile
:wq
EOF
}
editntpcfg >/tmp/editntpcfg.log;
echo "add disable monitor to /etc/ntp.conf success"




#restart server
echo `service ntp stop`
echo `service ntp start`
echo `ntpq --v`


################################################################
echo ""
#UPDATE vsftpd
#variable
echo "2: update vsftpd from $ftpver to $newftpver"
ftpdir=/tmp/packet
cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
mkdir /tmp/update/ftp -p
vsftpdir=/tmp/update/ftp
ftppack=`ls -l /tmp/packet/ |grep ftp |awk '$NF {print $NF}'`
ftpexpname=`ls -l /tmp/update/ftp/ |grep ^d|awk '$NF {print $NF}'`


#cp files to /tmp/update
cd $ftpdir
cp $ftppack $vsftpdir


#Decompression ftp packet
cd $vsftpdir
tar -xvf $ftppack >/tmp/ftpjieya.log
if [ -f /tmp/ftpjieya.log ]
then
echo "tar -xvf $ftpexpname  success"
else
echo "Decompression failure"
fi
cd $vsftpdir
cd $ftpexpname


#configure
#Need to replace some characters to support the 64 bit platform, 
#otherwise the ./configure will be in error
editftpconfigure()
{
vim vsf_findlibs.sh < ::%s?lib/?lib64/?
:wq
EOF
}
editftpconfigure >/tmp/editftpconfigure.log 2>&1;
#editftpconfigure >/tmp/editftpconfigure.log 2>&1;


#make
make >/tmp/ftpmake.log
if [ -f /tmp/ftpmake.log ]
then
echo "make success"
else
echo "make failure"
exit
fi


#makeinstall
make install >/tmp/ftpmakeinstall.log
if [ -f /tmp/ftpmakeinstall.log ]
then
echo "make install success"
else
echo "make install failure"
exit
fi


#backup configure file
cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
echo "backup /etc/vsftpd成功"


#copy configure file
cd $vsftpdir
cd $ftpexpname
cp vsftpd.conf /etc/


#shutdown old ftp process
service vsftpd stop >/dev/null 2>&1


#edit /etc/init.d/vsftpd，using new version file
editftpvsftpd()
{
vim /etc/init.d/vsftpd < ::%s?/usr/sbin/vsftpd?/usr/local/sbin/vsftpd?
:wq
EOF
}
editftpvsftpd>/tmp/editftpvsftpd.log 2>&1;
if [ -f /tmp/editftpvsftpd.log ]
then
echo "Specifies the new path to success"
else
echo "Specifies the new path to failure"
exit
fi


#backup and replace file
cd /usr/sbin/
cp vsftpd vsftpd.bak
cp /usr/local/sbin/vsftpd ./


#edit /etc/vsftpd.conf file
editftpcfg()
{
vim /etc/vsftpd.conf < ::%s?anonymous_enable=YES?anonymous_enable=NO
::%s?#local_enable=YES?local_enable=YES
::%s?#write_enable=YES?write_enable=YES
::%s?#ascii_upload_enable=YES?ascii_upload_enable=YES
:wq
EOF
}
editftpcfg>/tmp/editftpcfg.log >/dev/null 2>&1; 


#restart server
service vsftpd restart >/dev/null 2>&1
echo "restart vsftpd success"
vsftpd -v


################################################################
echo ""
#UPDATE SSH
#variable
echo "3:update ssh from $sshver to $newsshver"
ftpdir=/tmp/packet
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
mkdir /tmp/update/ssh -p
sshdir=/tmp/update/ssh
sshpack=`ls -l /tmp/packet/ |grep openssh |awk '$NF {print $NF}'`


#cp file to /tmp/update
cd $ftpdir
cp $sshpack $sshdir


#uninstall openssh-askpass
rpm -e openssh-askpass


#update openssh
cd $sshdir
rpm -Uvh $sshpack


#replace old file
cd /etc/ssh
cp sshd_config.rpmnew sshd_config


#edit /etc/ssh/sshd_config file
editsshcfg()
{
vim /etc/ssh/sshd_config < : :%s?#PermitRootLogin yes?PermitRootLogin no
:wq
EOF
}
editftpcfg>/tmp/editsshcfg.log >/dev/null 2>&1;


#restart server
service sshd restart
ssh -V