使用ansible批量更新openssh 环境说明: 多台机器,比如500台 局域网内网络互通 其中一台安装ansible,并能连接其他所有的机器 操作系统版本一致,这里都是centos7 1.编写hosts文件,举例三台 [test] 192.168.1.30 ansible_ssh_user=root ansible_ssh_password=root ansible_ssh_port=22 [dev] 192.168.1.60 ansible_ssh_user=root ansible_ssh_password=root ansible_ssh_port=22 [prod] 192.168.1.100 ansible_ssh_user=root ansible_ssh_password=root ansible_ssh_port=22 2.将升级的离线安装包分发到各主机 ansible all -i hosts -m copy -a "src=/root/openssh9.0p1.tar.gz dest=/root/" 3.执行解压和清理操作 ansible all -i hosts -m shell -a "tar -zxf /root/openssh9.0p1.tar.gz -C /root/ && rm -rf /root/openssh9.0p1.tar.gz" 4.备份现有的配置和权限文件 ansible all -i hosts -m shell -a "cp -rp /etc/ssh /etc/ssh_backup_$(date +'%Y-%m-%d_%H%M%S')" ansible all -i hosts -m shell -a "cp -rp /etc/pam.d/sshd /etc/pam.d/sshd_backup_$(date +'%Y-%m-%d_%H%M%S')" 5.分组执行升级操作,避免一把梭带来的失误 ansible test -i hosts -m shell -a "cd /root/openssh9.0p1 && yum localinstall -y ./openssh*.rpm" ansible test -i hosts -m shell -a "cat /root/openssh9.0p1/sshd > /etc/pam.d/sshd" ---小插曲 ansible test -i hosts -m shell -a "chmod 400 /etc/ssh/ssh_host_* && echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config && echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config" ansible test -i hosts -m shell -a "sed -i 's/#Port/Port/' /etc/ssh/sshd_config && sed -i '/Port/a Port 18822' /etc/ssh/sshd_config" --- ansible test -i hosts -m shell -a "systemctl restart sshd && systemctl enable sshd" 6.验证升级后的版本 ansible all -i hosts -m shell -a "ssh -V" ansible all -i hosts -m shell -a "rpm -qa | grep openssh" ansible all -i hosts -m shell -a "ss -anlp | grep :18822" ansible all -i hosts -m shell -a "systemctl status sshd | grep running | grep -v grep" 注意事项: ---这里没有考虑selinux的情况,因此最好在做此操作前,对selinux disabled ---这里没有考虑防火墙的情况,因此最好是在此操作前,对firewalld stop disable ---升级使用的是root账户,没有考虑其他用户的情况,需要根据实际情况修改 ---这里以openssh批量升级举例,使用的是离线的rpm包,其他软件升级需要根据实际场景,实际情况进行。
考虑selinux和firewalld的情况,进行ssh服务安全优化 注意: 这种情况需要先添加一个端口18822,测试连接没问题后才能关闭默认的22端口 #添加端口 ansible all -i hosts -m shell -a "sed -i "s/#Port 22/Port 22/g" /etc/ssh/sshd_config" ansible all -i hosts -m shell -a "sed -i '/Port 22/a Port 18822' /etc/ssh/sshd_config" #检查防火墙状态 ansible all -i hosts -m shell -a "systemctl status firewalld" #开放端口 ansible all -i hosts -m shell -a "firewall-cmd --zone=public --add-port=18822/tcp --permanent && firewall-cmd --reload" #查询 ansible all -i hosts -m shell -a "firewall-cmd --zone=public --query-port=18822/tcp" #查看selinux状态 Enforcing开启,disabled关闭,permissive关闭但记录警告信息 ansible all -i hosts -m shell -a "getenforce" #查询ssh端口 ansible all -i hosts -m shell -a "semanage port -l|grep ssh" #添加ssh端口放通 ansible all -i hosts -m shell -a "semanage -a -t ssh_port_t -p tcp 18822" #再次查询一下ssh端口 ansible all -i hosts -m shell -a "semanage port -l|grep ssh" #重启ssh服务 ansible all -i hosts -m shell -a "systemctl restart sshd" #查看端口监听 ansible all -i hosts -m shell -a "ss -anlp | grep :18822" #测试连接 这里可以写个shell脚本进行批量检测 ssh -v -p 18822 root@ip #关闭22 ansible all -i hosts -m shell -a "sed -i 's/^Port 22/^#&/g' /etc/ssh/sshd_config" 或者 ansible all -i hosts -m shell -a "sed -i "s/Port 22/#Port 22/g" /etc/ssh/sshd_config" ansible all -i hosts -m shell -a "systemctl restart sshd"
相关离线包和文件:openssh9.0p1.tar.gz-系统安全文档类资源-CSDN下载
