Batch update software and security optimization (taking openssh as an example) -- the road of building a dream

 Use ansible Batch update openssh

 Environmental statement ：

 Multiple machines , such as 500 platform 

 Network interworking in LAN 

 One of them is installed with ansible, And can connect all other machines 

 The operating system version is consistent , It's all here centos7

1. To write hosts file , For example, three sets 

[test]
192.168.1.30  ansible_ssh_user=root  ansible_ssh_password=root ansible_ssh_port=22

[dev]
192.168.1.60  ansible_ssh_user=root  ansible_ssh_password=root ansible_ssh_port=22

[prod]
192.168.1.100 ansible_ssh_user=root  ansible_ssh_password=root ansible_ssh_port=22

2. Distribute the upgraded offline installation package to each host 

ansible all -i hosts -m copy -a "src=/root/openssh9.0p1.tar.gz dest=/root/"

3. Perform decompression and cleanup 

ansible all -i hosts -m shell -a "tar -zxf /root/openssh9.0p1.tar.gz -C /root/ && rm -rf /root/openssh9.0p1.tar.gz"

4. Back up existing configuration and permission files 

ansible all -i hosts -m shell -a "cp -rp /etc/ssh /etc/ssh_backup_$(date +'%Y-%m-%d_%H%M%S')"

ansible all -i hosts -m shell -a "cp -rp /etc/pam.d/sshd /etc/pam.d/sshd_backup_$(date +'%Y-%m-%d_%H%M%S')"

5. Perform upgrade operation in groups , Avoid mistakes caused by a shuttle 

ansible test -i hosts -m shell -a "cd /root/openssh9.0p1 && yum localinstall -y ./openssh*.rpm"

ansible test -i hosts -m shell -a "cat /root/openssh9.0p1/sshd > /etc/pam.d/sshd"

--- episode   

ansible test -i hosts -m shell -a "chmod 400 /etc/ssh/ssh_host_* && echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config && echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config"

ansible test -i hosts -m shell -a "sed -i 's/#Port/Port/' /etc/ssh/sshd_config && sed -i '/Port/a Port 18822' /etc/ssh/sshd_config"

---

ansible test -i hosts -m shell -a "systemctl restart sshd && systemctl enable sshd"

6. Verify the upgraded version 

ansible all -i hosts -m shell -a "ssh -V"

ansible all -i hosts -m shell -a "rpm -qa | grep openssh"

ansible all -i hosts -m shell -a "ss -anlp | grep :18822"


 matters needing attention ：

--- There is no consideration here selinux The situation of , So it's best to do this before , Yes selinux disabled
--- The firewall is not considered here , So it's best to do this before , Yes firewalld stop disable
--- The upgrade uses root Account , Not considering the situation of other users , It needs to be modified according to the actual situation 
--- Here we use openssh Batch upgrade example , Using offline rpm package , Other software upgrades need to be based on actual scenarios , According to the actual situation .

 consider selinux and firewalld The situation of , Conduct ssh Service security optimization 


 Be careful ：  In this case, you need to add a port first 18822, Only when the test connection is OK can the default 22 port 

# Add port 
ansible all -i hosts -m shell -a "sed -i "s/\#Port 22/Port 22/g" /etc/ssh/sshd_config"

ansible all -i hosts -m shell -a "sed -i '/\Port 22/a Port 18822' /etc/ssh/sshd_config"

# Check firewall status 

ansible all -i hosts -m shell -a "systemctl status firewalld"

# Open ports 

ansible all -i hosts -m shell -a "firewall-cmd --zone=public --add-port=18822/tcp --permanent  && firewall-cmd --reload"

# Inquire about 

ansible all -i hosts -m shell -a "firewall-cmd --zone=public --query-port=18822/tcp"

# see selinux state  Enforcing Turn on ,disabled close ,permissive Close but log warning messages 

ansible all -i hosts -m shell -a "getenforce"

# Inquire about ssh port 

ansible all -i hosts -m shell -a "semanage port -l|grep ssh"

# add to ssh Port discharge 

ansible all -i hosts -m shell -a "semanage -a -t ssh_port_t -p tcp 18822"

# Check again ssh port 

ansible all -i hosts -m shell -a "semanage port -l|grep ssh"

# restart ssh service 

ansible all -i hosts -m shell -a "systemctl restart sshd"

# View port monitoring 
ansible all -i hosts -m shell -a "ss -anlp | grep :18822"

# Test connection   You can write one here shell Script for batch detection  

ssh -v -p 18822 root@ip

# close 22
ansible all -i hosts -m shell -a "sed -i 's/^Port 22/^#&/g' /etc/ssh/sshd_config"

 perhaps 

ansible all -i hosts -m shell -a "sed -i "s/\Port 22/#Port 22/g" /etc/ssh/sshd_config"

ansible all -i hosts -m shell -a "systemctl restart sshd"

Related offline packages and files ：openssh9.0p1.tar.gz- System security document class resources -CSDN download