Set-VMHostSecureNTP.psm1
function Set-VMHostSecureNTP { <# .NOTES =========================================================================== Created by: Markus Kraus =========================================================================== Changelog: 2020.05 ver 1.0 Base Release =========================================================================== External Code Sources: - =========================================================================== Tested Against Environment: vSphere Version: vSphere 6.7 U3 PowerCLI Version: PowerCLI 11.5 PowerShell Version: 5.1 OS Version: Windows 10 Keyword: ESXi, NTP, Hardening, Security, Firewall =========================================================================== .DESCRIPTION This function sets new NTP Servers on given ESXi Hosts and configures the host firewall to only accept NTP connections from these servers. .Example Get-VMHost | Set-VMHostSecureNTP -Secure .Example Get-VMHost | Set-VMHostSecureNTP -Type SetSecure -NTP 10.100.1.1, 192.168.2.1 .PARAMETER VMHost Specifies the hosts to configure .PARAMETER SetSecure Execute Set and Secure operation for new NTP Servers .PARAMETER NTP Specifies a Array of NTP Servers .PARAMETER Secure Execute Secure operation for exitsting NTP Servers #Requires PS -Version 5.1 #Requires -Modules VMware.VimAutomation.Core, @{ModuleName="VMware.VimAutomation.Core";ModuleVersion="11.5.0.0"} #> [CmdletBinding()] param( [Parameter(Mandatory=$True, ValueFromPipeline=$True, Position=0, HelpMessage = "Specifies the hosts to configure.")] [ValidateNotNullorEmpty()] [VMware.VimAutomation.Types.VMHost[]] $VMHost, [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Set and Secure operation for new NTP Servers")] [Switch] $SetSecure, [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Specifies a Array of NTP Servers")] [ValidateNotNullorEmpty()] [ipaddress[]] $NTP, [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="Secure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")] [Switch] $Secure ) begin { function SetNTP ($MyHost) { ## Get NTP Service "Get NTP Service from VMHost ..." $NTPService = $MyHost | Get-VMHostService | Where-Object {$_.key -eq "ntpd"} ## Stop NTP Service if running "Stop NTP Service if running ..." if($NTPService.Running -eq $True){ Stop-VMHostService -HostService $NTPService -Confirm:$false | Out-Null } ## Enable NTP Service "Enable NTP Service if disabled..." if($NTPService.Policy -ne "on"){ Set-VMHostService -HostService $NTPService -Policy "on" -confirm:$False | Out-Null } ## Remove all existing NTP Servers "Remove all existing NTP Servers ..." try { $MyHost | Get-VMHostNtpServer | Foreach-Object { Remove-VMHostNtpServer -VMHost $MyHost -NtpServer $_ -Confirm:$false } } catch [System.Exception] { Write-Warning "Error during removing existing NTP Servers on Host '$($MyHost.Name)'." } ## Set New NTP Servers "Set New NTP Servers ..." foreach ($myNTP in $NTP) { $MyHost | Add-VMHostNtpServer -ntpserver $myNTP -confirm:$False | Out-Null } ## Set Current time on Host "Set Current time on VMHost ..." $HostTimeSystem = Get-View $MyHost.ExtensionData.ConfigManager.DateTimeSystem $HostTimeSystem.UpdateDateTime([DateTime]::UtcNow) ## Start NTP Service "Start NTP Service ..." Start-VMHostService -HostService $NTPService -confirm:$False | Out-Null ## Get New NTP Servers "Get New NTP Servers ..." $NewNTPServers = $MyHost | Get-VMHostNtpServer "`tNew NTP Servers: $($NewNTPServers -join ", ")" } function SecureNTP ($MyHost) { ## Get NTP Servers "Get NTP Servers to Secure ..." [Array]$CurrentNTPServers = $MyHost | Get-VMHostNtpServer "`tNTP Servers: $($CurrentNTPServers -join ", ")" ## Get ESXCLI -V2 $esxcli = Get-ESXCLI -VMHost $MyHost -v2 ## Get NTP Client Firewall "Get NTP Client Firewall ..." try { $FirewallGet = $esxcli.network.firewall.get.Invoke() } catch [System.Exception] { Write-Warning "Error during Rule List. See latest errors..." } "`tLoded: $($FirewallGet.Loaded)" "`tEnabled: $($FirewallGet.Enabled)" "`tDefaultAction: $($FirewallGet.DefaultAction)" ## Get NTP Client Firewall Rule "Get NTP Client Firewall RuleSet ..." $esxcliargs = $esxcli.network.firewall.ruleset.list.CreateArgs() $esxcliargs.rulesetid = "ntpClient" try { $FirewallRuleList = $esxcli.network.firewall.ruleset.list.Invoke($esxcliargs) } catch [System.Exception] { Write-Warning "Error during Rule List. See latest errors..." } "`tEnabled: $($FirewallRuleList.Enabled)" ## Set NTP Client Firewall Rule "Set NTP Client Firewall Rule ..." $esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs() $esxcliargs.enabled = "true" $esxcliargs.allowedall = "false" $esxcliargs.rulesetid = "ntpClient" try { $esxcli.network.firewall.ruleset.set.Invoke($esxcliargs) } catch [System.Exception] { $ErrorMessage = $_.Exception.Message if ($ErrorMessage -ne "Already use allowed ip list") { Write-Warning "Error during Rule Set. See latest errors..." } } "Get NTP Client Firewall Rule AllowedIP ..." $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() $esxcliargs.rulesetid = "ntpClient" try { $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) } catch [System.Exception] { Write-Warning "Error during Rule List. See latest errors..." } "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" ## Remove Existing IP from firewall rule "Remove Existing IP from firewall rule ..." if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs() $esxcliargs.rulesetid = "ntpClient" $esxcliargs.ipaddress = $IP try { $esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs) } catch [System.Exception] { Write-Warning "Error during AllowedIP remove. See latest errors..." } } } ## Set NTP Client Firewall Rule AllowedIP "Set NTP Client Firewall Rule AllowedIP ..." foreach ($myNTP in $CurrentNTPServers) { $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $esxcliargs.ipaddress = $myNTP $esxcliargs.rulesetid = "ntpClient" try { $esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs) } catch [System.Exception] { $ErrorMessage = $_.Exception.Message if ($ErrorMessage -ne "Ip address already exist.") { Write-Warning "Error during AllowedIP remove. See latest errors..." } } } ## Get New NTP Client Firewall Rule AllowedIP "Get New NTP Client Firewall Rule AllowedIP ..." $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() $esxcliargs.rulesetid = "ntpClient" try { $FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs) } catch [System.Exception] { Write-Warning "Error during Rule List. See latest errors..." } "`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")" } } process { if ($SetSecure) { "Execute Set and Secure operation for new NTP Servers ..." $VMHost | Foreach-Object { Write-Output (SetNTP $_) } $VMHost | Foreach-Object { Write-Output (SecureNTP $_) } } if ($Secure) { "Execute Secure operation for exitsting NTP Servers ..." $VMHost | Foreach-Object { Write-Output (SecureNTP $_) } } } } |