diff --git a/h3.md b/h3.md index 2f46326..6406c62 100644 --- a/h3.md +++ b/h3.md @@ -404,6 +404,8 @@ Total run time: 110.429 ms **Vastaus:** +**HUOM!** Koska tehtävänannossa ei pyydetty käyttämään master-koneella sijaitsevaa esimääritettyä SSHD:n konfiguraatiotiedostoa ja pyydettiin vaihtamaan pelkkä SSHD:n yhteysportti minionille/minioneille, on SLS-tiedosto rakennettu tämän esivaatimuksen pohjalta. Yleisesti voidaan haluta samat asetukset kaikille minioneille, jolloin tulee käyttää esimääritettyä SSHD:n konfiguraatiotiedostoa, joka korvaa minionilla/minioneilla olevan tiedoston. + Halusin kokeilla jinja:lla lukujen generointia tässä tehtävässä. Olisi voitu toki käyttää ennalta määriteltyä porttia, mutta hauskempaa generoida jotain satunnaista. Soveltuuko tämä käyttökohteeseen, it's up to you. SSH-portti generoidaan väliltä 23-600. Käytetään seuraavaa sisältöä uuteen state-tiedostoon. @@ -428,22 +430,24 @@ check_sshd_config: check_sshd_current_port: cmd.run: - - name: 'echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"' + - name: 'echo "current SSH daemon port for $(hostname) (Salt ID: {{ grains['id'] }}) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"' - require: - file: check_sshd_config prevent_if_ssh_sessions_open: cmd.run: - names: - - 'SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi' + - 'SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: {{ grains['id'] }}): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi' - unset SSH_SESSIONS - require: - file: check_sshd_config - cmd: check_sshd_current_port -ssh_port: - cmd.run: - - name: 'sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port {{ supersecret_ssh_port }}/" /etc/ssh/sshd_config' +new_ssh_port: + file.replace: + - name: /etc/ssh/sshd_config + - pattern: '^[#P]+ort [0-9][0-9]*' + - repl: 'Port {{ supersecret_ssh_port }}' - require: - cmd: prevent_if_ssh_sessions_open @@ -451,14 +455,14 @@ sshd_restart: service.running: - name: ssh.service # Yes, this is the daemon process - watch: - - cmd: ssh_port + - file: new_ssh_port ssh_new_port_inform: cmd.run: - - name: 'echo "new SSH daemon port for $(hostname) is {{ supersecret_ssh_port }}"' + - name: 'echo "new SSH daemon port for $(hostname) (Salt ID: {{ grains['id'] }}) is {{ supersecret_ssh_port }}"' - require: - service: sshd_restart - - cmd: ssh_port + - file: new_ssh_port ``` @@ -477,8 +481,8 @@ orjakone: Function: pkg.installed Result: True Comment: All specified packages are already installed - Started: 11:14:51.005448 - Duration: 449.647 ms + Started: 14:26:13.249172 + Duration: 416.921 ms Changes: ---------- ID: check_sshd_config @@ -486,38 +490,38 @@ orjakone: Name: /etc/ssh/sshd_config Result: True Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made. - Started: 11:14:51.457698 - Duration: 1.118 ms + Started: 14:26:13.668542 + Duration: 1.195 ms Changes: ---------- ID: check_sshd_current_port Function: cmd.run - Name: echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)" + Name: echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)" Result: True - Comment: Command "echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run - Started: 11:14:51.459390 - Duration: 4.195 ms + Comment: Command "echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run + Started: 14:26:13.671432 + Duration: 4.479 ms Changes: ---------- pid: - 2817 + 2813 retcode: 0 stderr: stdout: - current SSH daemon port for minion is: Port 22 + current SSH daemon port for minion (Salt ID: orjakone) is: Port 22 ---------- ID: prevent_if_ssh_sessions_open Function: cmd.run - Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi + Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi Result: True - Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run - Started: 11:14:51.464445 - Duration: 12.004 ms + Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run + Started: 14:26:13.676350 + Duration: 13.544 ms Changes: ---------- pid: - 2820 + 2816 retcode: 0 stderr: @@ -528,40 +532,46 @@ orjakone: Name: unset SSH_SESSIONS Result: True Comment: Command "unset SSH_SESSIONS" run - Started: 11:14:51.476790 - Duration: 3.682 ms + Started: 14:26:13.690114 + Duration: 3.341 ms Changes: ---------- pid: - 2827 + 2823 retcode: 0 stderr: stdout: ---------- - ID: ssh_port - Function: cmd.run - Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config + ID: new_ssh_port + Function: file.replace + Name: /etc/ssh/sshd_config Result: True - Comment: Command "sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config" run - Started: 11:14:51.480849 - Duration: 3.743 ms + Comment: Changes were made + Started: 14:26:13.693988 + Duration: 4.119 ms Changes: ---------- - pid: - 2828 - retcode: - 0 - stderr: - stdout: + diff: + --- + +++ + @@ -10,7 +10,7 @@ + # possible, but leave them commented. Uncommented options override the + # default value. + + -Port 22 + +Port 199 + #AddressFamily any + #ListenAddress 0.0.0.0 + #ListenAddress :: ---------- ID: sshd_restart Function: service.running Name: ssh.service Result: True Comment: Service restarted - Started: 11:14:51.510980 - Duration: 32.241 ms + Started: 14:26:13.724516 + Duration: 31.875 ms Changes: ---------- ssh.service: @@ -569,20 +579,20 @@ orjakone: ---------- ID: ssh_new_port_inform Function: cmd.run - Name: echo "new SSH daemon port for $(hostname) is 199" + Name: echo "new SSH daemon port for $(hostname) (Salt ID: orjakone) is 199" Result: True - Comment: Command "echo "new SSH daemon port for $(hostname) is 199"" run - Started: 11:14:51.543628 - Duration: 4.88 ms + Comment: Command "echo "new SSH daemon port for $(hostname) (Salt ID: orjakone) is 199"" run + Started: 14:26:13.756793 + Duration: 7.15 ms Changes: ---------- pid: - 2838 + 2832 retcode: 0 stderr: stdout: - new SSH daemon port for minion is 199 + new SSH daemon port for minion (Salt ID: orjakone) is 199 Summary for orjakone ------------ @@ -590,7 +600,7 @@ Succeeded: 8 (changed=6) Failed: 0 ------------ Total states run: 8 -Total run time: 511.510 ms +Total run time: 482.624 ms ``` Näyttäisi siltä, että portti 199 on generoitu uudeksi SSH daemonin yhteysportiksi koneelle 'orjakone'. Varmistetaan tietojen oikeellisuus. Tämän voi tehdä etänä SSH-yhteyden avulla muultakin koneelta (testataan yhteyden toimivuus orjakoneen IP:een SSH clientilla porttia 199 käyttäen), @@ -617,8 +627,8 @@ orjakone: Function: pkg.installed Result: True Comment: All specified packages are already installed - Started: 11:10:01.571133 - Duration: 480.26 ms + Started: 14:29:50.043605 + Duration: 390.748 ms Changes: ---------- ID: check_sshd_config @@ -626,44 +636,44 @@ orjakone: Name: /etc/ssh/sshd_config Result: True Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made. - Started: 11:10:02.053906 - Duration: 1.192 ms + Started: 14:29:50.436782 + Duration: 1.099 ms Changes: ---------- ID: check_sshd_current_port Function: cmd.run - Name: echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)" + Name: echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)" Result: True - Comment: Command "echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run - Started: 11:10:02.055645 - Duration: 4.458 ms + Comment: Command "echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run + Started: 14:29:50.438437 + Duration: 3.965 ms Changes: ---------- pid: - 2783 + 2987 retcode: 0 stderr: stdout: - current SSH daemon port for minion is: Port 98 + current SSH daemon port for minion (Salt ID: orjakone) is: Port 379 ---------- ID: prevent_if_ssh_sessions_open Function: cmd.run - Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi + Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi Result: False - Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run - Started: 11:10:02.060527 - Duration: 12.857 ms + Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run + Started: 14:29:50.442778 + Duration: 11.447 ms Changes: ---------- pid: - 2786 + 2990 retcode: 1 stderr: stdout: - -e minion: The following established SSH session were found: - tcp6 0 0 ::1:98 ::1:46718 ESTABLISHED 1945/sshd: fincer [ + -e minion (Salt ID: orjakone): The following established SSH session were found: + tcp6 0 0 ::1:379 ::1:36896 ESTABLISHED 2869/sshd: fincer [ Not changing SSH daemon port. ---------- @@ -672,20 +682,20 @@ orjakone: Name: unset SSH_SESSIONS Result: True Comment: Command "unset SSH_SESSIONS" run - Started: 11:10:02.073603 - Duration: 3.746 ms + Started: 14:29:50.454451 + Duration: 3.132 ms Changes: ---------- pid: - 2794 + 2998 retcode: 0 stderr: stdout: ---------- - ID: ssh_port - Function: cmd.run - Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 428/" /etc/ssh/sshd_config + ID: new_ssh_port + Function: file.replace + Name: /etc/ssh/sshd_config Result: False Comment: One or more requisite failed: ssh_random.prevent_if_ssh_sessions_open Changes: @@ -694,14 +704,14 @@ orjakone: Function: service.running Name: ssh.service Result: False - Comment: One or more requisite failed: ssh_random.ssh_port + Comment: One or more requisite failed: ssh_random.new_ssh_port Changes: ---------- ID: ssh_new_port_inform Function: cmd.run - Name: echo "new SSH daemon port for $(hostname) is 428" + Name: echo "new SSH daemon port for $(hostname) (Salt ID: orjakone) is 258" Result: False - Comment: One or more requisite failed: ssh_random.sshd_restart, ssh_random.ssh_port + Comment: One or more requisite failed: ssh_random.sshd_restart, ssh_random.new_ssh_port Changes: Summary for orjakone @@ -710,10 +720,11 @@ Succeeded: 4 (changed=3) Failed: 4 ------------ Total states run: 8 -Total run time: 502.513 ms +Total run time: 410.391 ms +ERROR: Minions returned with non-zero exit code ``` -![prevent-ssh-portchange_](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/ssh_prevent_portchange_.png) +![prevent-ssh-portchange_](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/salt_ssh-prevent-portchange.png) **e)** Kokeile jonkun toisen opiskelijan tekemää Salt-tilaa. Kokeiltava tila voi olla mistä vain harjoituksesta. Opiskelijoiden raportteja ja koodeja löydät tämän sivun perästä kommenteista. --------------