I have my remote management ip on a totally different ip block compared to the rest of my vm's, but I still want to disable the HTTP interface (where you can download the vi client). Either disable it compeltely or replace the index file with a blank one.... I dunno where to find that.
Hello,
To disable:
chkconfig vmware-webAccess off
service vmware-webAccess stop
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
not found. that command does not exist.
The biggest problem I see is that a quick google search brings up several of these default landing pages for esxi hosts... so I now know XX hosts that are running esxi (some are even quite old versions)... yikes?
Hello,
Is your question about ESXi or ESX? If ESX, run the command:
The commands are within the /sbin directory. Most likely you are using sudo with no path set or using su without doing 'su -' so you should use:
/sbin/chkconfig vmware-webAccess off
/sbin/service vmware-webAccess stop
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
Hello,
ESXi hosts with the management appliance on the 'internet' is extremely dangerous..... THis is definitely NOT a best practice.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
I'm talking about esxi.
And how do i get the management off the internet but still accessable via the internet? The server is 1200 miles away. That's kinda why I'd like to turn off everything but port 902 or whatever it is. There also is no iptables installed?
no wonder i used almost a gig data transfer in 2 days.... been hammered with brute force attacks constantly already
Hello,
THank you for clarifying. Moving to the ESXi forum.
You can not disable port 80/443 on ESXi as it uses it to reverse proxy management. The best solution to your problem is to move your ESXi management console out of the DMZ (i.e. make it NOT internet facing) by putting a physical firewall (or even virtual) between it and the internet. Hopefully a firewall with some form of VPN support such as SMoothwall with Zerina plugin. This way you VPN into a VM then manage the system from within your own network.
Even if you succeeded in shutting down webAccess the rest of the management interfaces exist and those are pretty much now under constant attack. ESXi is a juicy target by the hackers....
I suggest reading http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf for more information on this.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
why doesn't esxi have a firewall/iptables in the first place? Am i able to change the ip and stuff while remotely connected?
1) Because its not linux
2) because its too small
3) Because its designed to be placed behind a firewall
--Matt
VCP, vExpert, Unix Geek
screw it, i'll spend the 30 grand and switch to microsoft for their security
Have you checked out XenServer at all? Its got IPTable installed by default - and from the testing i've done today (after dumping ESXi for exactly the same reasons as you), it's actually pretty good.
Don't even bother with Hyper-V IMO, you'll be ripping your hair out before the day is done. Its a pile of ****