Browse Source

Exercise 3: Update 'Replace SSH port' functionality

master
Pekka Helenius 6 years ago
committed by GitHub
parent
commit
25c2ed09db
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 86 additions and 75 deletions
  1. +86
    -75
      h3.md

+ 86
- 75
h3.md View File

@ -404,6 +404,8 @@ Total run time: 110.429 ms
**Vastaus:** **Vastaus:**
**HUOM!** Koska tehtävänannossa ei pyydetty käyttämään master-koneella sijaitsevaa esimääritettyä SSHD:n konfiguraatiotiedostoa ja pyydettiin vaihtamaan pelkkä SSHD:n yhteysportti minionille/minioneille, on SLS-tiedosto rakennettu tämän esivaatimuksen pohjalta. Yleisesti voidaan haluta samat asetukset kaikille minioneille, jolloin tulee käyttää esimääritettyä SSHD:n konfiguraatiotiedostoa, joka korvaa minionilla/minioneilla olevan tiedoston.
Halusin kokeilla jinja:lla lukujen generointia tässä tehtävässä. Olisi voitu toki käyttää ennalta määriteltyä porttia, mutta hauskempaa generoida jotain satunnaista. Soveltuuko tämä käyttökohteeseen, it's up to you. Halusin kokeilla jinja:lla lukujen generointia tässä tehtävässä. Olisi voitu toki käyttää ennalta määriteltyä porttia, mutta hauskempaa generoida jotain satunnaista. Soveltuuko tämä käyttökohteeseen, it's up to you.
SSH-portti generoidaan väliltä 23-600. Käytetään seuraavaa sisältöä uuteen state-tiedostoon. SSH-portti generoidaan väliltä 23-600. Käytetään seuraavaa sisältöä uuteen state-tiedostoon.
@ -428,22 +430,24 @@ check_sshd_config:
check_sshd_current_port: check_sshd_current_port:
cmd.run: cmd.run:
- name: 'echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"'
- name: 'echo "current SSH daemon port for $(hostname) (Salt ID: {{ grains['id'] }}) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"'
- require: - require:
- file: check_sshd_config - file: check_sshd_config
prevent_if_ssh_sessions_open: prevent_if_ssh_sessions_open:
cmd.run: cmd.run:
- names: - names:
- 'SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi'
- 'SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: {{ grains['id'] }}): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi'
- unset SSH_SESSIONS - unset SSH_SESSIONS
- require: - require:
- file: check_sshd_config - file: check_sshd_config
- cmd: check_sshd_current_port - cmd: check_sshd_current_port
ssh_port:
cmd.run:
- name: 'sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port {{ supersecret_ssh_port }}/" /etc/ssh/sshd_config'
new_ssh_port:
file.replace:
- name: /etc/ssh/sshd_config
- pattern: '^[#P]+ort [0-9][0-9]*'
- repl: 'Port {{ supersecret_ssh_port }}'
- require: - require:
- cmd: prevent_if_ssh_sessions_open - cmd: prevent_if_ssh_sessions_open
@ -451,14 +455,14 @@ sshd_restart:
service.running: service.running:
- name: ssh.service # Yes, this is the daemon process - name: ssh.service # Yes, this is the daemon process
- watch: - watch:
- cmd: ssh_port
- file: new_ssh_port
ssh_new_port_inform: ssh_new_port_inform:
cmd.run: cmd.run:
- name: 'echo "new SSH daemon port for $(hostname) is {{ supersecret_ssh_port }}"'
- name: 'echo "new SSH daemon port for $(hostname) (Salt ID: {{ grains['id'] }}) is {{ supersecret_ssh_port }}"'
- require: - require:
- service: sshd_restart - service: sshd_restart
- cmd: ssh_port
- file: new_ssh_port
``` ```
@ -477,8 +481,8 @@ orjakone:
Function: pkg.installed Function: pkg.installed
Result: True Result: True
Comment: All specified packages are already installed Comment: All specified packages are already installed
Started: 11:14:51.005448
Duration: 449.647 ms
Started: 14:26:13.249172
Duration: 416.921 ms
Changes: Changes:
---------- ----------
ID: check_sshd_config ID: check_sshd_config
@ -486,38 +490,38 @@ orjakone:
Name: /etc/ssh/sshd_config Name: /etc/ssh/sshd_config
Result: True Result: True
Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made. Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made.
Started: 11:14:51.457698
Duration: 1.118 ms
Started: 14:26:13.668542
Duration: 1.195 ms
Changes: Changes:
---------- ----------
ID: check_sshd_current_port ID: check_sshd_current_port
Function: cmd.run Function: cmd.run
Name: echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"
Name: echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"
Result: True Result: True
Comment: Command "echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run
Started: 11:14:51.459390
Duration: 4.195 ms
Comment: Command "echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run
Started: 14:26:13.671432
Duration: 4.479 ms
Changes: Changes:
---------- ----------
pid: pid:
2817
2813
retcode: retcode:
0 0
stderr: stderr:
stdout: stdout:
current SSH daemon port for minion is: Port 22
current SSH daemon port for minion (Salt ID: orjakone) is: Port 22
---------- ----------
ID: prevent_if_ssh_sessions_open ID: prevent_if_ssh_sessions_open
Function: cmd.run Function: cmd.run
Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi
Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi
Result: True Result: True
Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run
Started: 11:14:51.464445
Duration: 12.004 ms
Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run
Started: 14:26:13.676350
Duration: 13.544 ms
Changes: Changes:
---------- ----------
pid: pid:
2820
2816
retcode: retcode:
0 0
stderr: stderr:
@ -528,40 +532,46 @@ orjakone:
Name: unset SSH_SESSIONS Name: unset SSH_SESSIONS
Result: True Result: True
Comment: Command "unset SSH_SESSIONS" run Comment: Command "unset SSH_SESSIONS" run
Started: 11:14:51.476790
Duration: 3.682 ms
Started: 14:26:13.690114
Duration: 3.341 ms
Changes: Changes:
---------- ----------
pid: pid:
2827
2823
retcode: retcode:
0 0
stderr: stderr:
stdout: stdout:
---------- ----------
ID: ssh_port
Function: cmd.run
Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config
ID: new_ssh_port
Function: file.replace
Name: /etc/ssh/sshd_config
Result: True Result: True
Comment: Command "sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config" run
Started: 11:14:51.480849
Duration: 3.743 ms
Comment: Changes were made
Started: 14:26:13.693988
Duration: 4.119 ms
Changes: Changes:
---------- ----------
pid:
2828
retcode:
0
stderr:
stdout:
diff:
---
+++
@@ -10,7 +10,7 @@
# possible, but leave them commented. Uncommented options override the
# default value.
-Port 22
+Port 199
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
---------- ----------
ID: sshd_restart ID: sshd_restart
Function: service.running Function: service.running
Name: ssh.service Name: ssh.service
Result: True Result: True
Comment: Service restarted Comment: Service restarted
Started: 11:14:51.510980
Duration: 32.241 ms
Started: 14:26:13.724516
Duration: 31.875 ms
Changes: Changes:
---------- ----------
ssh.service: ssh.service:
@ -569,20 +579,20 @@ orjakone:
---------- ----------
ID: ssh_new_port_inform ID: ssh_new_port_inform
Function: cmd.run Function: cmd.run
Name: echo "new SSH daemon port for $(hostname) is 199"
Name: echo "new SSH daemon port for $(hostname) (Salt ID: orjakone) is 199"
Result: True Result: True
Comment: Command "echo "new SSH daemon port for $(hostname) is 199"" run
Started: 11:14:51.543628
Duration: 4.88 ms
Comment: Command "echo "new SSH daemon port for $(hostname) (Salt ID: orjakone) is 199"" run
Started: 14:26:13.756793
Duration: 7.15 ms
Changes: Changes:
---------- ----------
pid: pid:
2838
2832
retcode: retcode:
0 0
stderr: stderr:
stdout: stdout:
new SSH daemon port for minion is 199
new SSH daemon port for minion (Salt ID: orjakone) is 199
Summary for orjakone Summary for orjakone
------------ ------------
@ -590,7 +600,7 @@ Succeeded: 8 (changed=6)
Failed: 0 Failed: 0
------------ ------------
Total states run: 8 Total states run: 8
Total run time: 511.510 ms
Total run time: 482.624 ms
``` ```
Näyttäisi siltä, että portti 199 on generoitu uudeksi SSH daemonin yhteysportiksi koneelle 'orjakone'. Varmistetaan tietojen oikeellisuus. Tämän voi tehdä etänä SSH-yhteyden avulla muultakin koneelta (testataan yhteyden toimivuus orjakoneen IP:een SSH clientilla porttia 199 käyttäen), Näyttäisi siltä, että portti 199 on generoitu uudeksi SSH daemonin yhteysportiksi koneelle 'orjakone'. Varmistetaan tietojen oikeellisuus. Tämän voi tehdä etänä SSH-yhteyden avulla muultakin koneelta (testataan yhteyden toimivuus orjakoneen IP:een SSH clientilla porttia 199 käyttäen),
@ -617,8 +627,8 @@ orjakone:
Function: pkg.installed Function: pkg.installed
Result: True Result: True
Comment: All specified packages are already installed Comment: All specified packages are already installed
Started: 11:10:01.571133
Duration: 480.26 ms
Started: 14:29:50.043605
Duration: 390.748 ms
Changes: Changes:
---------- ----------
ID: check_sshd_config ID: check_sshd_config
@ -626,44 +636,44 @@ orjakone:
Name: /etc/ssh/sshd_config Name: /etc/ssh/sshd_config
Result: True Result: True
Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made. Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made.
Started: 11:10:02.053906
Duration: 1.192 ms
Started: 14:29:50.436782
Duration: 1.099 ms
Changes: Changes:
---------- ----------
ID: check_sshd_current_port ID: check_sshd_current_port
Function: cmd.run Function: cmd.run
Name: echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"
Name: echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"
Result: True Result: True
Comment: Command "echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run
Started: 11:10:02.055645
Duration: 4.458 ms
Comment: Command "echo "current SSH daemon port for $(hostname) (Salt ID: orjakone) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run
Started: 14:29:50.438437
Duration: 3.965 ms
Changes: Changes:
---------- ----------
pid: pid:
2783
2987
retcode: retcode:
0 0
stderr: stderr:
stdout: stdout:
current SSH daemon port for minion is: Port 98
current SSH daemon port for minion (Salt ID: orjakone) is: Port 379
---------- ----------
ID: prevent_if_ssh_sessions_open ID: prevent_if_ssh_sessions_open
Function: cmd.run Function: cmd.run
Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi
Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi
Result: False Result: False
Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run
Started: 11:10:02.060527
Duration: 12.857 ms
Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname) (Salt ID: orjakone): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run
Started: 14:29:50.442778
Duration: 11.447 ms
Changes: Changes:
---------- ----------
pid: pid:
2786
2990
retcode: retcode:
1 1
stderr: stderr:
stdout: stdout:
-e minion: The following established SSH session were found:
tcp6 0 0 ::1:98 ::1:46718 ESTABLISHED 1945/sshd: fincer [
-e minion (Salt ID: orjakone): The following established SSH session were found:
tcp6 0 0 ::1:379 ::1:36896 ESTABLISHED 2869/sshd: fincer [
Not changing SSH daemon port. Not changing SSH daemon port.
---------- ----------
@ -672,20 +682,20 @@ orjakone:
Name: unset SSH_SESSIONS Name: unset SSH_SESSIONS
Result: True Result: True
Comment: Command "unset SSH_SESSIONS" run Comment: Command "unset SSH_SESSIONS" run
Started: 11:10:02.073603
Duration: 3.746 ms
Started: 14:29:50.454451
Duration: 3.132 ms
Changes: Changes:
---------- ----------
pid: pid:
2794
2998
retcode: retcode:
0 0
stderr: stderr:
stdout: stdout:
---------- ----------
ID: ssh_port
Function: cmd.run
Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 428/" /etc/ssh/sshd_config
ID: new_ssh_port
Function: file.replace
Name: /etc/ssh/sshd_config
Result: False Result: False
Comment: One or more requisite failed: ssh_random.prevent_if_ssh_sessions_open Comment: One or more requisite failed: ssh_random.prevent_if_ssh_sessions_open
Changes: Changes:
@ -694,14 +704,14 @@ orjakone:
Function: service.running Function: service.running
Name: ssh.service Name: ssh.service
Result: False Result: False
Comment: One or more requisite failed: ssh_random.ssh_port
Comment: One or more requisite failed: ssh_random.new_ssh_port
Changes: Changes:
---------- ----------
ID: ssh_new_port_inform ID: ssh_new_port_inform
Function: cmd.run Function: cmd.run
Name: echo "new SSH daemon port for $(hostname) is 428"
Name: echo "new SSH daemon port for $(hostname) (Salt ID: orjakone) is 258"
Result: False Result: False
Comment: One or more requisite failed: ssh_random.sshd_restart, ssh_random.ssh_port
Comment: One or more requisite failed: ssh_random.sshd_restart, ssh_random.new_ssh_port
Changes: Changes:
Summary for orjakone Summary for orjakone
@ -710,10 +720,11 @@ Succeeded: 4 (changed=3)
Failed: 4 Failed: 4
------------ ------------
Total states run: 8 Total states run: 8
Total run time: 502.513 ms
Total run time: 410.391 ms
ERROR: Minions returned with non-zero exit code
``` ```
![prevent-ssh-portchange_](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/ssh_prevent_portchange_.png)
![prevent-ssh-portchange_](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/salt_ssh-prevent-portchange.png)
**e)** Kokeile jonkun toisen opiskelijan tekemää Salt-tilaa. Kokeiltava tila voi olla mistä vain harjoituksesta. Opiskelijoiden raportteja ja koodeja löydät tämän sivun perästä kommenteista. **e)** Kokeile jonkun toisen opiskelijan tekemää Salt-tilaa. Kokeiltava tila voi olla mistä vain harjoituksesta. Opiskelijoiden raportteja ja koodeja löydät tämän sivun perästä kommenteista.
-------------- --------------


Loading…
Cancel
Save