Browse Source

Exercise 3: More informative output for 'prevent SSH port change'

master
Pekka Helenius 6 years ago
committed by GitHub
parent
commit
72f6d2a13a
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 116 additions and 38 deletions
  1. +116
    -38
      h3.md

+ 116
- 38
h3.md View File

@ -426,11 +426,20 @@ check_sshd_config:
- require:
- pkg: check_sshd_install
check_sshd_current_port:
cmd.run:
- name: 'echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"'
- require:
- file: check_sshd_config
prevent_if_ssh_sessions_open:
cmd.run:
- name: 'if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi'
- names:
- 'SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi'
- unset SSH_SESSIONS
- require:
- file: check_sshd_config
- cmd: check_sshd_current_port
ssh_port:
cmd.run:
@ -468,8 +477,8 @@ orjakone:
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 00:41:53.684126
Duration: 438.565 ms
Started: 11:14:51.005448
Duration: 449.647 ms
Changes:
----------
ID: check_sshd_config
@ -477,21 +486,54 @@ orjakone:
Name: /etc/ssh/sshd_config
Result: True
Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made.
Started: 00:41:54.125139
Duration: 1.176 ms
Started: 11:14:51.457698
Duration: 1.118 ms
Changes:
----------
ID: check_sshd_current_port
Function: cmd.run
Name: echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"
Result: True
Comment: Command "echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run
Started: 11:14:51.459390
Duration: 4.195 ms
Changes:
----------
pid:
2817
retcode:
0
stderr:
stdout:
current SSH daemon port for minion is: Port 22
----------
ID: prevent_if_ssh_sessions_open
Function: cmd.run
Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi
Result: True
Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run
Started: 11:14:51.464445
Duration: 12.004 ms
Changes:
----------
pid:
2820
retcode:
0
stderr:
stdout:
----------
ID: prevent_if_ssh_sessions_open
Function: cmd.run
Name: if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi
Name: unset SSH_SESSIONS
Result: True
Comment: Command "if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi" run
Started: 00:41:54.126854
Duration: 10.249 ms
Comment: Command "unset SSH_SESSIONS" run
Started: 11:14:51.476790
Duration: 3.682 ms
Changes:
----------
pid:
4907
2827
retcode:
0
stderr:
@ -502,12 +544,12 @@ orjakone:
Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config
Result: True
Comment: Command "sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 199/" /etc/ssh/sshd_config" run
Started: 00:41:54.137472
Duration: 3.691 ms
Started: 11:14:51.480849
Duration: 3.743 ms
Changes:
----------
pid:
4912
2828
retcode:
0
stderr:
@ -518,8 +560,8 @@ orjakone:
Name: ssh.service
Result: True
Comment: Service restarted
Started: 00:41:54.159948
Duration: 23.825 ms
Started: 11:14:51.510980
Duration: 32.241 ms
Changes:
----------
ssh.service:
@ -530,12 +572,12 @@ orjakone:
Name: echo "new SSH daemon port for $(hostname) is 199"
Result: True
Comment: Command "echo "new SSH daemon port for $(hostname) is 199"" run
Started: 00:41:54.184166
Duration: 3.476 ms
Started: 11:14:51.543628
Duration: 4.88 ms
Changes:
----------
pid:
4922
2838
retcode:
0
stderr:
@ -544,11 +586,11 @@ orjakone:
Summary for orjakone
------------
Succeeded: 6 (changed=4)
Succeeded: 8 (changed=6)
Failed: 0
------------
Total states run: 6
Total run time: 480.982 ms
Total states run: 8
Total run time: 511.510 ms
```
Näyttäisi siltä, että portti 199 on generoitu uudeksi SSH daemonin yhteysportiksi koneelle 'orjakone'. Varmistetaan tietojen oikeellisuus. Tämän voi tehdä etänä SSH-yhteyden avulla muultakin koneelta (testataan yhteyden toimivuus orjakoneen IP:een SSH clientilla porttia 199 käyttäen),
@ -575,8 +617,8 @@ orjakone:
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 00:37:52.470756
Duration: 425.447 ms
Started: 11:10:01.571133
Duration: 480.26 ms
Changes:
----------
ID: check_sshd_config
@ -584,29 +626,66 @@ orjakone:
Name: /etc/ssh/sshd_config
Result: True
Comment: File /etc/ssh/sshd_config exists with proper permissions. No changes made.
Started: 00:37:52.898531
Duration: 1.179 ms
Started: 11:10:02.053906
Duration: 1.192 ms
Changes:
----------
ID: check_sshd_current_port
Function: cmd.run
Name: echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"
Result: True
Comment: Command "echo "current SSH daemon port for $(hostname) is: $(grep -E ^[#P]+ort /etc/ssh/sshd_config)"" run
Started: 11:10:02.055645
Duration: 4.458 ms
Changes:
----------
pid:
2783
retcode:
0
stderr:
stdout:
current SSH daemon port for minion is: Port 98
----------
ID: prevent_if_ssh_sessions_open
Function: cmd.run
Name: if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi
Name: SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi
Result: False
Comment: Command "if [ $(/bin/netstat -tnpa | grep "ESTABLISHED.*sshd" | wc -l) -gt 0 ]; then false; fi" run
Started: 00:37:52.900237
Duration: 10.394 ms
Comment: Command "SSH_SESSIONS=$(/bin/netstat -ntpa | grep "ESTABLISHED.*sshd"); if [ $(echo $SSH_SESSIONS | wc -w) -gt 1 ]; then echo -e "$(hostname): The following established SSH session were found:\n$SSH_SESSIONS\n\nNot changing SSH daemon port." && false; fi" run
Started: 11:10:02.060527
Duration: 12.857 ms
Changes:
----------
pid:
4815
2786
retcode:
1
stderr:
stdout:
-e minion: The following established SSH session were found:
tcp6 0 0 ::1:98 ::1:46718 ESTABLISHED 1945/sshd: fincer [
Not changing SSH daemon port.
----------
ID: prevent_if_ssh_sessions_open
Function: cmd.run
Name: unset SSH_SESSIONS
Result: True
Comment: Command "unset SSH_SESSIONS" run
Started: 11:10:02.073603
Duration: 3.746 ms
Changes:
----------
pid:
2794
retcode:
0
stderr:
stdout:
----------
ID: ssh_port
Function: cmd.run
Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 305/" /etc/ssh/sshd_config
Name: sed -i -r "s/^[#P]+ort [0-9][0-9]*/Port 428/" /etc/ssh/sshd_config
Result: False
Comment: One or more requisite failed: ssh_random.prevent_if_ssh_sessions_open
Changes:
@ -620,22 +699,21 @@ orjakone:
----------
ID: ssh_new_port_inform
Function: cmd.run
Name: echo "new SSH daemon port for $(hostname) is 305"
Name: echo "new SSH daemon port for $(hostname) is 428"
Result: False
Comment: One or more requisite failed: ssh_random.ssh_port, ssh_random.sshd_restart
Comment: One or more requisite failed: ssh_random.sshd_restart, ssh_random.ssh_port
Changes:
Summary for orjakone
------------
Succeeded: 2 (changed=1)
Succeeded: 4 (changed=3)
Failed: 4
------------
Total states run: 6
Total run time: 437.020 ms
ERROR: Minions returned with non-zero exit code
Total states run: 8
Total run time: 502.513 ms
```
![prevent-ssh-portchange](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/ssh_prevent_portchange.png)
![prevent-ssh-portchange_](https://raw.githubusercontent.com/Fincer-altego/central-management-of-multiple-servers/master/images/ssh_prevent_portchange_.png)
**e)** Kokeile jonkun toisen opiskelijan tekemää Salt-tilaa. Kokeiltava tila voi olla mistä vain harjoituksesta. Opiskelijoiden raportteja ja koodeja löydät tämän sivun perästä kommenteista.
--------------


Loading…
Cancel
Save