VMware Cloud Community
pearlyshells
Contributor
Contributor

Implementing Best Practices

I am about to implement "some" of the VMWare Best (Security) Practices into our Virtual Infrastructure. However, I am isolating 2 hosts to perform the changes first to ensure nothing goes awry due to any of the changes. Since others out there have probably performed these practices before I am hoping that I can get some advice....ie. what to watch out for....I know some of the recommendations will not be suitable for us like removing cut and paste or removing the USB drives since we use USB drives for our keyboard and mouse connections on the hosts, etc. Other recommendations will probably cause the VMs to stop working or cause issues if not performed in a step by step manner.......ie polices.

One of the recommendations that I like but would like some advice on is: disabling remote ROOT access and only having specific users allowed to access the ESX hosts. We have 4 virtual administrators and I am the main administrator (by default, mostly...not because I am the most knowledgeable). So, I'd like to setup all of the administrators with access to the ESX Hosts but only with their specific accounts and not ROOT....they can sudo to Root but not immediately login as root (so that there is some logging activity and accountability). The only place ROOT can be used is directly in front of the host. So, the idea is that we can all use PutTY to access the host with our accounts and manage the hosts but only with our user accounts. Don't know if this is specifically available. If so, how ?

Reply
0 Kudos
5 Replies
weinstein5
Immortal
Immortal

Well that is by default how ESX is configured when you first install ESX - since it sounds like you have modified the sshdconf file your will simply need

To block the root user to login to a VMware ESX Server over the network using SSH, do the following:

  1. Go to the service console on the physical server & login

  2. vi /etc/ssh/sshd_config

  3. Change the line that says PermitRootLogin from “yes” to “no”

  4. do service sshd restart

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
pearlyshells
Contributor
Contributor

thanks very much. When we first brought VMware into our network, we had a consultant perform most of this for us while we "learned" from him. That's how we got most of what we know. I recall he did do something to a file to allow us to use root on all our hosts from PutTy.

Reply
0 Kudos
AndreTheGiant
Immortal
Immortal

he did do something to a file to allow us to use root on all our hosts from PutTy.

You can use /etc/hosts.allow and /etc/hosts.deny to do this (enable single IP).

See Unix TcpWrapper documentation.

Andre

Andre | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
athlon_crazy
Virtuoso
Virtuoso

Another thing what you can do is by assigning different permission to run command with "visudo". Like :

  • vAdminA - esxtop, vmware-cmd

  • vAdminB - vimsh, poweroff, reboot

vcbMC-1.0.6 Beta

vcbMC-1.0.7 Lite

http://www.no-x.org
Reply
0 Kudos
azn2kew
Champion
Champion

As mentioned, using sudo in this case is the best scenario and for specific AD domain login account, you can integrate with PAM Plugin using esxcfg-auth command to accomplish this. Check out Edward Haletky's website he has all types of security integration to ESX hosts and visit xtravirt.com for specific SUDO GUIDE which is pretty good and details.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
Reply
0 Kudos