VMware Cloud Community
vmwadmin
Contributor
Contributor
‎01-02-2010 08:34 AM

Lock down Internet-facing ESXi

I realize it's bad practice to publish an ESXi host to the Internet, but I don't have much choice. If you had to do this, what would be the best practices for locking it down? Disable the root account? Anything else? Is there already some way that it's protected from Brute Force / Dictionary attacks, or am I completely succeptible to those?

Thanks,

Alan

0 Kudos
7 Replies
danm66
Expert
Expert
‎01-02-2010 12:58 PM

Do you have to expose the management port onto the internet? If you do, then SSH access is disabled by default. Don't add the host to vCenter as that just adds another user account and more services.

Otherwise, keep the management network on a separate vswitch from the vm network.

0 Kudos
rbaldauf
Contributor
Contributor
‎01-03-2010 06:33 AM

First, i think, you should check your system for open ports, well done with nmap. Root access is not allowed and i would remove su also and only use sudo, for it logs any commands. Maybe you should also consider a special loghost (any linux-box will do), to which the ESX sends its log-lines too, eventually over a serial connection, so the loghost can't get compromised.

Just my two cents

0 Kudos
vmwadmin
Contributor
Contributor
‎01-03-2010 07:18 AM

Thanks for the advice, folks!

It's still behind a firewall, so the only open ports are the ones required for management.

I was thinking of disabling ports 902 and 903, so that would at least stop them from being able to xfer files and accessing the consoles.

It can't be much more dangerous than exposing a Windows box with remote desktop open, right?

Regarding my original question - is there any built in protection against brute force attacks? i.e. what happens with failed password attempts?

Thanks,

Alan

0 Kudos
vmwadmin
Contributor
Contributor
‎01-03-2010 07:43 AM

I don't see su in the vSphere "Users & Groups" tab.

Its got daemon, nfsnobody, root, noboyd, vimuser, and dcui. I had planned on deleting root. Are there any others of this list I should delete?

Thanks,

Alan

0 Kudos
DSTAVERT
Immortal
Immortal
‎01-03-2010 12:24 PM

ESXi does not have a firewall so you can't "lock down" anything. The su reference is for ESX not ESXi. If you can't have a firewall in front of ESXi and the VMs you can add a Vritual Machine firewall and put everything behind that. You need two vSwitches and the firewall appliance straddles the two switches. vSwitch0 has the uplink pNIC that connects to the Internet. The firewall, in this case is pfsense has it wan connection on vSwitch0. The lan side of the pfsense firewall is connected to vSwitch1. You would add your virtual machines to vSwitch1. You will need to create a VPN through the firewall to connect to the management network, in this case to 192.168.1.11.

-- David -- VMware Communities Moderator
Preview file
24 KB
0 Kudos
vmwadmin
Contributor
Contributor
‎01-03-2010 01:39 PM

Very cool... but I'm actually behind my Verizon Fios router/firewall. I just have the necessary ports open to the Internet so I can manage it remotely. So the firewall isn't an issue. I'm mostly worried about brute force attacks.

0 Kudos
vmwadmin
Contributor
Contributor
‎01-03-2010 02:15 PM

I tried to delete the root account; it wouldn't let me do that. So I just removed its permissions on the server's Permissions tab. Hopefully that doesn't hurt anything. I confirmed that root can no longer log in.

There's one other account in there that has permissions - dcui. Is that something I need to worry about? Can I remove its permissions as well, or will that break something?

Thanks,

Alan

0 Kudos