From 3a91b48f15a6b8c917ae303f0db90ec6f1d2f460 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Thu, 28 May 2020 20:45:46 +0200 Subject: [PATCH] Add Secure Operation --- Scripts/Set-VMHostSecureNTP.ps1 | 103 +++++++++++++++++++++++++++++++- 1 file changed, 102 insertions(+), 1 deletion(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index 69d420c..9fa4f44 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -9,7 +9,7 @@ function Set-VMHostSecureNTP { [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Array of NTP Serbers")] [ValidateNotNullorEmpty()] [Array] $NTP, - [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] + [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="Secure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] [Switch] $Secure ) @@ -152,6 +152,107 @@ function Set-VMHostSecureNTP { "`tNew NTP Servers: $($NewNTPServers -join ", ")" } + + function Secure ($myhost) { + ## Get NTP Servers + "Get NTP Servers ..." + [Array]$CurrentNTPServers = $MyHost | Get-VMHostNtpServer + "`tNTP Servers: $($NewNTPServers -join ", ")" + ## Get NTP Client Firewall + "Get NTP Client Firewall ..." + try { + $FirewallGet = $esxcli.network.firewall.get.Invoke() + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tLoded: $($FirewallGet.Loaded)" + "`tEnabled: $($FirewallGet.Enabled)" + "`tDefaultAction: $($FirewallGet.DefaultAction)" + ## Get NTP Client Firewall Rule + "Get NTP Client Firewall RuleSet ..." + $esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tEnabled: $($FirewallRuleList.Enabled)" + ## Set NTP Client Firewall Rule + "Set NTP Client Firewall Rule ..." + $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() + $esxcliargs.enabled = "true" + $esxcliargs.allowedall = "false" + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Already use allowed ip list") { + Write-Warning "Error during Rule Set. See latest errors..." + + } + + } + "Get NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" + ## Remove Existing IP from firewall rule + "Remove Existing IP from firewall rule ..." + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { + foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + $esxcliargs.ipaddress = $IP + try { + $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + } + + } + ## Set NTP Client Firewall Rule AllowedIP + "Set NTP Client Firewall Rule AllowedIP ..." + foreach ($myNTP in $CurrentNTPServers) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() + $esxcliargs.ipaddress = $myNTP + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Ip address already exist.") { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + } + } + ## Get New NTP Client Firewall Rule AllowedIP + "Get New NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" + + + } }