We usually change the SSH port number on our devices to avoid common scans to port 22. In case it is of use to others, below are the steps for this change on VCSA 6.7 using port 10022 as an example. Note that a VCSA update to the SSH or firewall services may overwrite this change.
1. Enable console CLI via VAMI Access menu (https://vcenter_url:5480/) and login as root (VM console, Alt-F1).
2. Add rule for port 10022 and remove rule for port 22.
iptables -I port_filter -p tcp --dport 10022 -j ACCEPT
iptables -D port_filter -p tcp --dport 22 -j ACCEPT
Confirm ACCEPT rule on new port appears on iptables list.
iptables -L port_filter -n --line-numbers|grep 10022
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10022
3. Change /etc/vmware/appliance/services.conf so firewall reloads use the new port.
----------
"direction": "inbound",
"protocol": "tcp",
"porttype": "dst",
"port": "22"
----------
to
----------
"direction": "inbound",
"protocol": "tcp",
"porttype": "dst",
"port": "10022"
----------
4. Change /etc/ssh/sshd_config so SSH service uses the new port.
----------
#Port 22
#AddressFamily any
----------
to
----------
Port 10022
#AddressFamily any
----------
5. Enable SSH via VAMI Access menu (https://vcenter_url:5480/)
These steps are optional.
1. Change /etc/services to display the correct service name on commands that use it.
----------
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
# Tatu Ylonen <ylo&cs.hut.fi>
ssh 22/sctp # SSH
----------
to
----------
ssh 10022/tcp # SSH Remote Login Protocol
ssh 10022/udp # SSH Remote Login Protocol
# Tatu Ylonen <ylo&cs.hut.fi>
ssh 10022/sctp # SSH
----------
2. Change /etc/systemd/scripts/iptables. This doesn't seem to be used by VCSA.
----------
#Enable ssh connections
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
----------
to
----------
#Enable ssh connections
iptables -A INPUT -p tcp --dport 10022 -j ACCEPT
----------
References
----------
https://www.virtuallyghetto.com/2017/07/quick-tip-list-all-open-ports-on-the-vcsa-psc.html
Quick Tip – List all open ports on the VCSA / PSC
https://icebow.ru/portal/display/VMWKB/vCSA+6.0+Firewall
vCSA 6.0 Firewall
Hi,
Thank you! it's very useful.
Alessandro Romeo