1 Reply Latest reply on Aug 13, 2019 10:23 AM by AlessandroRomeo68

    Change VCSA 6.7 SSH port

    PRWeb Lurker

      We usually change the SSH port number on our devices to avoid common scans to port 22. In case it is of use to others, below are the steps for this change on VCSA 6.7 using port 10022 as an example. Note that a VCSA update to the SSH or firewall services may overwrite this change.

       

      1. Enable console CLI via VAMI Access menu (https://vcenter_url:5480/) and login as root (VM console, Alt-F1).

      2. Add rule for port 10022 and remove rule for port 22.

       

      iptables -I port_filter -p tcp --dport 10022 -j ACCEPT

      iptables -D port_filter -p tcp --dport 22 -j ACCEPT

       

      Confirm ACCEPT rule on new port appears on iptables list.

       

      iptables -L port_filter -n --line-numbers|grep 10022

      1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10022

       

      3. Change /etc/vmware/appliance/services.conf so firewall reloads use the new port.

      ----------

                   "direction": "inbound",

                   "protocol": "tcp",

                   "porttype": "dst",

                   "port": "22"

      ----------

      to

      ----------

                   "direction": "inbound",

                   "protocol": "tcp",

                   "porttype": "dst",

                   "port": "10022"

      ----------

      4. Change /etc/ssh/sshd_config so SSH service uses the new port.

      ----------

      #Port 22

      #AddressFamily any

      ----------

      to

      ----------

      Port 10022

      #AddressFamily any

      ----------

      5. Enable SSH via VAMI Access menu (https://vcenter_url:5480/)

       

      These steps are optional.

       

      1. Change /etc/services to display the correct service name on commands that use it.

      ----------

      ssh              22/tcp    # SSH Remote Login Protocol

      ssh              22/udp    # SSH Remote Login Protocol

      #                          Tatu Ylonen <ylo&cs.hut.fi>

      ssh              22/sctp   # SSH

      ----------

      to

      ----------

      ssh              10022/tcp # SSH Remote Login Protocol

      ssh              10022/udp # SSH Remote Login Protocol

      #                          Tatu Ylonen <ylo&cs.hut.fi>

      ssh              10022/sctp # SSH

      ----------

      2. Change /etc/systemd/scripts/iptables. This doesn't seem to be used by VCSA.

      ----------

      #Enable ssh connections

      iptables -A INPUT -p tcp --dport 22 -j ACCEPT

      ----------

      to

      ----------

      #Enable ssh connections

      iptables -A INPUT -p tcp --dport 10022 -j ACCEPT

      ----------

       

      References

      ----------

      https://www.virtuallyghetto.com/2017/07/quick-tip-list-all-open-ports-on-the-vcsa-psc.html

      Quick Tip – List all open ports on the VCSA / PSC

       

      https://icebow.ru/portal/display/VMWKB/vCSA+6.0+Firewall

      vCSA 6.0 Firewall