diff --git a/Scripts/Set-VMHostSecureNTP.ps1 b/Scripts/Set-VMHostSecureNTP.ps1 new file mode 100644 index 0000000..42e1885 --- /dev/null +++ b/Scripts/Set-VMHostSecureNTP.ps1 @@ -0,0 +1,225 @@ +function Set-VMHostSecureNTP { +<# + .NOTES + =========================================================================== + Created by: Markus Kraus + =========================================================================== + Changelog: + 2020.05 ver 1.0 Base Release + =========================================================================== + External Code Sources: + - + =========================================================================== + Tested Against Environment: + vSphere Version: vSphere 6.7 U3 + PowerCLI Version: PowerCLI 11.5 + PowerShell Version: 5.1 + OS Version: Windows 10 + Keyword: ESXi, NTP, Hardening, Security, Firewall + =========================================================================== + + .DESCRIPTION + This function sets new NTP Servers on given ESXi Hosts and configures the host firewall to only accept NTP connections from these servers. + + .Example + Get-VMHost | Set-VMHostSecureNTP -Secure + + .Example + Get-VMHost | Set-VMHostSecureNTP -Type SetSecure -NTP 10.100.1.1, 192.168.2.1 + + .PARAMETER VMHost + Specifies the hosts to configure + + .PARAMETER SetSecure + Execute Set and Secure operation for new NTP Servers + + .PARAMETER NTP + Specifies a Array of NTP Servers + + .PARAMETER Secure + Execute Secure operation for exitsting NTP Servers + +#Requires PS -Version 5.1 +#Requires -Modules VMware.VimAutomation.Core, @{ModuleName="VMware.VimAutomation.Core";ModuleVersion="11.5.0.0"} +#> + + [CmdletBinding()] + param( + [Parameter(Mandatory=$True, ValueFromPipeline=$True, Position=0, HelpMessage = "Specifies the hosts to configure.")] + [ValidateNotNullorEmpty()] + [VMware.VimAutomation.Types.VMHost[]] $VMHost, + [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Set and Secure operation for new NTP Servers")] + [Switch] $SetSecure, + [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Specifies a Array of NTP Servers")] + [ValidateNotNullorEmpty()] + [ipaddress[]] $NTP, + [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="Secure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] + [Switch] $Secure + + ) + + begin { + + function SetNTP ($MyHost) { + ## Get NTP Service + "Get NTP Service from VMHost ..." + $NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"} + ## Stop NTP Service if running + "Stop NTP Service if running ..." + if($NTPService.Running -eq $True){ + Stop-VMHostService -HostService $NTPService -Confirm:$false | Out-Null + } + ## Enable NTP Service + "Enable NTP Service if disabled..." + if($NTPService.Policy -ne "on"){ + Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null + } + ## Remove all existing NTP Servers + "Remove all existing NTP Servers ..." + try { + $MyHost | Get-VMHostNtpServer | Foreach-Object { + Remove-VMHostNtpServer -VMHost $MyHost -NtpServer $_ -Confirm:$false + } + } + catch [System.Exception] { + Write-Warning "Error during removing existing NTP Servers on Host '$($MyHost.Name)'." + } + ## Set New NTP Servers + "Set New NTP Servers ..." + foreach ($myNTP in $NTP) { + $MyHost | Add-VMHostNtpServer -ntpserver $myNTP -confirm:$False | Out-Null + } + ## Set Current time on Host + "Set Current time on VMHost ..." + $HostTimeSystem = Get-View $MyHost.ExtensionData.ConfigManager.DateTimeSystem + $HostTimeSystem.UpdateDateTime([DateTime]::UtcNow) + ## Start NTP Service + "Start NTP Service ..." + Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null + ## Get New NTP Servers + "Get New NTP Servers ..." + $NewNTPServers = $MyHost | Get-VMHostNtpServer + "`tNew NTP Servers: $($NewNTPServers -join ", ")" + + } + + function SecureNTP ($MyHost) { + ## Get NTP Servers + "Get NTP Servers to Secure ..." + [Array]$CurrentNTPServers = $MyHost | Get-VMHostNtpServer + "`tNTP Servers: $($CurrentNTPServers -join ", ")" + ## Get ESXCLI -V2 + $esxcli = Get-ESXCLI -VMHost $MyHost -v2 + ## Get NTP Client Firewall + "Get NTP Client Firewall ..." + try { + $FirewallGet = $esxcli.network.firewall.get.Invoke() + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tLoded: $($FirewallGet.Loaded)" + "`tEnabled: $($FirewallGet.Enabled)" + "`tDefaultAction: $($FirewallGet.DefaultAction)" + ## Get NTP Client Firewall Rule + "Get NTP Client Firewall RuleSet ..." + $esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tEnabled: $($FirewallRuleList.Enabled)" + ## Set NTP Client Firewall Rule + "Set NTP Client Firewall Rule ..." + $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() + $esxcliargs.enabled = "true" + $esxcliargs.allowedall = "false" + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Already use allowed ip list") { + Write-Warning "Error during Rule Set. See latest errors..." + + } + + } + "Get NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" + ## Remove Existing IP from firewall rule + "Remove Existing IP from firewall rule ..." + if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { + foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + $esxcliargs.ipaddress = $IP + try { + $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + } + + } + ## Set NTP Client Firewall Rule AllowedIP + "Set NTP Client Firewall Rule AllowedIP ..." + foreach ($myNTP in $CurrentNTPServers) { + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() + $esxcliargs.ipaddress = $myNTP + $esxcliargs.rulesetid = "ntpClient" + try { + $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) + } + catch [System.Exception] { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -ne "Ip address already exist.") { + Write-Warning "Error during AllowedIP remove. See latest errors..." + } + } + } + ## Get New NTP Client Firewall Rule AllowedIP + "Get New NTP Client Firewall Rule AllowedIP ..." + $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() + $esxcliargs.rulesetid = "ntpClient" + try { + $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) + } + catch [System.Exception] { + Write-Warning "Error during Rule List. See latest errors..." + } + "`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" + + + } + + } + + process { + + if ($SetSecure) { + "Execute Set and Secure operation for new NTP Servers ..." + $VMHost | Foreach-Object { Write-Output (SetNTP $_) } + $VMHost | Foreach-Object { Write-Output (SecureNTP $_) } + } + if ($Secure) { + "Execute Secure operation for exitsting NTP Servers ..." + $VMHost | Foreach-Object { Write-Output (SecureNTP $_) } + } + + } + +} \ No newline at end of file