From 9a7dc6dd592728933ea403023a2620cbca3a6002 Mon Sep 17 00:00:00 2001 From: Markus Kraus Date: Tue, 26 May 2020 22:37:26 +0200 Subject: [PATCH] Added Error Handling and Pre-Checks --- Scripts/Set-VMHostSecureNTP.ps1 | 84 ++++++++++++++++++++++++++++----- 1 file changed, 71 insertions(+), 13 deletions(-) diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 index e862fe1..1148bb1 100644 --- a/Scripts/Set-VMHostSecureNTP.ps1 +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -15,17 +15,21 @@ function Set-VMHostSecureNTP { begin { function SetSecure ($MyHost) { - ## Get NTP Service + ## Get NTP Service + "Get NTP Service from VMHost ..." $NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"} - ## Stop NTP Service if running + ## Stop NTP Service if running + "Stop NTP Service if running ..." if($NTPService.Running -eq $True){ Stop-VMHostService -HostService $NTPService -Confirm:$false | Out-Null } ## Enable NTP Service + "Enable NTP Service if disabled..." if($NTPService.Policy -ne "on"){ Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null } ## Remove all existiing NTP Servers + "Remove all existiing NTP Servers ..." try { foreach ($OldNtpServer in ($MyHost | Get-VMHostNtpServer)) { $MyHost | Remove-VMHostNtpServer -NtpServer $OldNtpServer -Confirm:$false @@ -35,36 +39,90 @@ function Set-VMHostSecureNTP { Write-Warning "Error during removing existing NTP Servers on Host '$($MyHost.Name)'." } ## Set New NTP Servers + "Set New NTP Servers ..." foreach ($myNTP in $NTP) { $MyHost | Add-VMHostNtpServer -ntpserver $myNTP -confirm:$False | Out-Null } ## Set Current time on Host + "Set Current time on VMHost ..." $HostTimeSystem = Get-View $MyHost.ExtensionData.ConfigManager.DateTimeSystem $HostTimeSystem.UpdateDateTime([DateTime]::UtcNow) ## Start NTP Service + "Start NTP Service ..." Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null - ## Get NTP CLient Forewall Rule + ## Get ESXCLI -V2 $esxcli = Get-ESXCLI -VMHost $MyHost -v2 - $esxcliargs = $esxcli.network.firewall.ruleset.rule.list.CreateArgs() - $esxcliargs.rulesetid = "ntpClient" + ## Get NTP Client Firewall + "Get NTP Client Firewall ..." try { - $esxcli.network.firewall.ruleset.rule.list.Invoke($esxcliargs) + $FirewallGet = $esxcli.network.firewall.get.Invoke() } catch [System.Exception] { Write-Warning "Error during Rule List. See latest errors..." } - ## Set NTP Client Firewall Rule - $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() - $esxcliargs.enabled = "true" - $esxcliargs.allowedall = "false" + "`tLoded: $($FirewallGet.Loaded)" + "`tEnabled: $($FirewallGet.Enabled)" + "`tDefaultAction: $($FirewallGet.DefaultAction)" + ## Get NTP Client Firewall Rule + "Get NTP Client Firewall RuleSet ..." + $esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs() $esxcliargs.rulesetid = "ntpClient" try { - $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) } catch [System.Exception] { - Write-Warning "Error during Rule Set. See latest errors..." + Write-Warning "Error during Rule List. See latest errors..." } + "`tEnabled: $($FirewallRuleList.Enabled)" + "Get NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses)" + ## Remove Existing IP from firewall rule + ## BUG: If AllowedIP was enabled and is disabled now, old IPs will not be removed + "Remove Existing IP from firewall rule ..." + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { + foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + $esxcliargs.ipaddress = $IP + try { + $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + + } + + } + ## Set NTP Client Firewall Rule + "Set NTP Client Firewall Rule ..." + if ($FirewallRuleList.Enabled -ne $True -or $FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") { + $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() + if ($FirewallRuleList.Enabled -ne $True) { + $esxcliargs.enabled = "true" + } + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") { + $esxcliargs.allowedall = "false" + } + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule Set. See latest errors..." + } + } ## Set NTP Client Firewall Rule AllowedIP + ## BUG: If AllowedIP was enabled and is disabled now, a duplicate Ip Cannot be added + "Set NTP Client Firewall Rule AllowedIP ..." foreach ($myNTP in $NTP) { $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $esxcliargs.ipaddress = $myNTP @@ -73,7 +131,7 @@ function Set-VMHostSecureNTP { $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) } catch [System.Exception] { - Write-Warning "Error during Rule Update. See latest errors..." + Write-Warning "Error during Rule AllowedIP Update. See latest errors..." } } }