From 110b3c96cf1ede9c44b56398a59f197757dbcb70 Mon Sep 17 00:00:00 2001 From: Pekka Helenius <35750356+Fincer-altego@users.noreply.github.com> Date: Tue, 17 Apr 2018 00:49:08 +0300 Subject: [PATCH] Exercise 3: Add 'Prevent SSH port change if sessions open' --- h3.md | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 106 insertions(+), 15 deletions(-) diff --git a/h3.md b/h3.md index 0ab95db..3e106dc 100644 --- a/h3.md +++ b/h3.md @@ -456,8 +456,8 @@ orjakone: Function: pkg.installed Result: True Comment: All specified packages are already installed - Started: 23:47:14.653440 - Duration: 429.865 ms + Started: 00:41:53.684126 + Duration: 438.565 ms Changes: ---------- ID: check_sshd_config @@ -465,21 +465,37 @@ orjakone: Name: /etc/ssh/sshd_config Result: True Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made. - Started: 23:47:15.085669 - Duration: 1.391 ms + Started: 00:41:54.125139 + Duration: 1.176 ms Changes: +---------- + ID: prevent_if_ssh_sessions_open + Function: cmd.run + Name: if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi + Result: True + Comment: Command "if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi" run + Started: 00:41:54.126854 + Duration: 10.249 ms + Changes: + ---------- + pid: + 4907 + retcode: + 0 + stderr: + stdout: ---------- ID: ssh_port Function: cmd.run Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config Result: True Comment: Command "sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config" run - Started: 23:47:15.087670 - Duration: 3.708 ms + Started: 00:41:54.137472 + Duration: 3.691 ms Changes: ---------- pid: - 4319 + 4912 retcode: 0 stderr: @@ -490,8 +506,8 @@ orjakone: Name: ssh.service Result: True Comment: Service restarted - Started: 23:47:15.109629 - Duration: 22.164 ms + Started: 00:41:54.159948 + Duration: 23.825 ms Changes: ---------- ssh.service: @@ -502,12 +518,12 @@ orjakone: Name: echo "new SSH daemon port for $(hostname) is 199" Result: True Comment: Command "echo "new SSH daemon port for $(hostname) is 199"" run - Started: 23:47:15.132159 - Duration: 3.246 ms + Started: 00:41:54.184166 + Duration: 3.476 ms Changes: ---------- pid: - 4329 + 4922 retcode: 0 stderr: @@ -516,11 +532,11 @@ orjakone: Summary for orjakone ------------ -Succeeded: 5 (changed=3) +Succeeded: 6 (changed=4) Failed: 0 ------------ -Total states run: 5 -Total run time: 460.374 ms +Total states run: 6 +Total run time: 480.982 ms ``` Näyttäisi siltä, että portti 199 on generoitu uudeksi SSH daemonin yhteysportiksi koneelle 'orjakone'. Varmistetaan tietojen oikeellisuus. Tämän voi tehdä etänä SSH-yhteyden avulla muultakin koneelta (testataan yhteyden toimivuus orjakoneen IP:een SSH clientilla porttia 199 käyttäen), @@ -534,6 +550,81 @@ Toinen esimerkki: ![randomport-from-master](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/ssh_randomport_for_minion.png) +**Lisänä - SSH-portin vaihtamisen estäminen, jos SSH-yhteyksiä on muodostettu minionille** + +Jos SSH-yhteyksiä on minionilla auki, voimme haluta estää portin vaihtamisen kesken kaiken. Yllä olevassa SLS-tiedostossa tämä on määritetty state:lla _prevent_if_ssh_sessions_open_. + +Masterin output, jos minionilla on SSH-yhteyksiä auki: + +``` +orjakone: +---------- + ID: check_sshd_install + Function: pkg.installed + Result: True + Comment: All specified packages are already installed + Started: 00:37:52.470756 + Duration: 425.447 ms + Changes: +---------- + ID: check_sshd_config + Function: file.managed + Name: /etc/ssh/sshd_config + Result: True + Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made. + Started: 00:37:52.898531 + Duration: 1.179 ms + Changes: +---------- + ID: prevent_if_ssh_sessions_open + Function: cmd.run + Name: if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi + Result: False + Comment: Command "if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi" run + Started: 00:37:52.900237 + Duration: 10.394 ms + Changes: + ---------- + pid: + 4815 + retcode: + 1 + stderr: + stdout: +---------- + ID: ssh_port + Function: cmd.run + Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 305/" /etc/ssh/sshd_config + Result: False + Comment: One or more requisite failed: ssh_random.prevent_if_ssh_sessions_open + Changes: +---------- + ID: sshd_restart + Function: service.running + Name: ssh.service + Result: False + Comment: One or more requisite failed: ssh_random.ssh_port + Changes: +---------- + ID: ssh_new_port_inform + Function: cmd.run + Name: echo "new SSH daemon port for $(hostname) is 305" + Result: False + Comment: One or more requisite failed: ssh_random.ssh_port, ssh_random.sshd_restart + Changes: + +Summary for orjakone +------------ +Succeeded: 2 (changed=1) +Failed: 4 +------------ +Total states run: 6 +Total run time: 437.020 ms +ERROR: Minions returned with non-zero exit code +``` + +![prevent-ssh-portchange](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/ssh_prevent_portchange.png) + **e)** Kokeile jonkun toisen opiskelijan tekemää Salt-tilaa. Kokeiltava tila voi olla mistä vain harjoituksesta. Opiskelijoiden raportteja ja koodeja löydät tämän sivun perästä kommenteista. --------------