VMware Cloud Community
AlexEv123
Enthusiast
Enthusiast
‎01-14-2021 01:50 AM

ESXI root password has been hacked

Hi, I have a couple of ESXI server, but one of them is naked - it look to internet without firewall. And Yesterday that EXSI 7 server has been hacked. Somebody has been changed root password in my server. I google this issue and found a lot approach to hack ESXI server, for example - https://www.vmwareblog.org/forgot-esxi-root-password-no-problems-4-ways-reset/

And I decide reinstall that server. So, my question is - Can I delete a ROOT login at all (like standard installation on Ubuntu style), or maybe rename it, or can anybody advice to strong protect ESXI ROOT login/password from hacked and changed password?

 

Tags (2)
0 Kudos
8 Replies
scott28tt
VMware Employee
VMware Employee
‎01-14-2021 02:17 AM

@AlexEv123 

Why expose the host to the internet in the first place? Securing the network access would be the best approach.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
AlexEv123
Enthusiast
Enthusiast
‎01-14-2021 02:47 AM

dear @scott28tt what do you mean? I don't understand you. That server was rent in Hetzner datacenter, if I understand there is nothing any security options to restrict access to server from internet, server is naked and anybody can access to 443 port

Or you mean some VmWare control options?

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎01-14-2021 03:20 AM

@AlexEv123 

I doubt there would be many vSphere admins/architects who would think it is a good idea to expose an ESXi host directly to the outside world in that way without any kind of security or authentication restrictions.

I used to manage vSphere training labs that were accessible from the internet - they had a front-end system that you would have to successfully authenticate against first prior to getting anywhere near the vSphere infrastructure.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
Lalegre
Virtuoso
Virtuoso
‎01-14-2021 09:08 AM

Hey @AlexEv123,

Publishing an ESXi to the Internet is definetely not a good idea as if somebody gets access can affect all your infrastructure inmediately without much knowledge and even extract information of the virtual machines that are store there.

Of course there are mechanisms for restricting network access such as only allowing the Public IP used by the customer to connect there, however as @scott28tt said, the solution is not on securizing that access but use an intermediate service to give access with an strong authentication and encryption in the middle. Think about VDI Solutions for example.

0 Kudos
msweeney1981
Contributor
Contributor
‎01-14-2021 12:11 PM

I'd always protect the management of ESXi, simple stuff like locking it down.

I'd suggest looking at this article as a starter for 10..

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-88B24613-E8F9-40D...

 

0 Kudos
AlexEv123
Enthusiast
Enthusiast
‎01-15-2021 02:36 AM

Thank you @msweeney1981 , but in this mode I can not add new VM, isn't it?

0 Kudos
Lalegre
Virtuoso
Virtuoso
‎01-15-2021 03:08 AM

Hey @AlexEv123,

Lockdown mode will only work if you have vCenter Server but as I understand you are not providing that access to the user so in case you want the user to be able to access the ESXi by another user, you can change the root priviliege to No-Access or Read-Only.

Before doing this you will need to create a new user locally on your ESXi and provide administrator privilieges. For that follow the next document: https://blogs.virtualmaestro.in/2016/02/12/how-to-add-local-account-in-esxi-shell/#:~:text=Add%20use....

This will restrict the access completely to the host and the root user will have no access, however this will not impact the use of root inside SSH but I presume you are not publishing that to the Internet.

However, this is a solution to your issue, not a recommendation.

 

 

0 Kudos
jburen
Expert
Expert
‎01-17-2021 03:36 AM

Hi Alex, besides the other recommendations and solutions always keep your ESXi host up-to-date with the latest security patches. This will also help to minimize the risk of getting "hacked". But indeed, don't connect your ESXi host directly to the internet without proper security measures like firewalls.

There are also benchmarks that give you guidance on how to secure your ESXi host.

 

Consider giving Kudos if you think my response helped you in any way.
0 Kudos