Do you have the FQDN of the vCenter and ESXi hosts? - no

I have one vcenter, but i want monitoring network for new vcenter/esxi (some IT admin can create one more and i want know about it).

You not understand me.

I don't want logon to vcenter, i just want find vcenter in my network.

Maybe i can scan network and find server with open port/services with use only vcenter?

Why do you need to "find vcenter" in your own network? Is it your vCenter? What are you trying to achieve?

Why all ask for what it...

Explain:

I have one vcenter/esxi in network.

Anyone create new vcenter/esxi in same network.

I want know about all vcenter in network and create alert when create new vcenter/esxi.

Thanks.

There is certainly no way to do this within vCenter itself. A port scanner may or may not return what service is running the port. There may be vulnerability scanners which might be able to tell the application, but that would depend on the version, and this is likely to change.

Ok. I can scan any network scanner, but with port always open in vcenter\esxi servers - 902, 903, 5989?

vCenter is listening on 443 and a couple others, but 443 is the API endpoint as well as the client endpoint.

Yes, but ports like 443, 80, 22 use any others servers, and i can't understand what it esxi server or other linux server (for exsample).
I need know specific port only use vcenter/esxi for recognize what it exactly vcenter/esxi servers.

The point is you may not be able to by ports alone. That isn't enough information to tell you what services a host is running.

Well, in result - i can't found vcenter/esxi?

Maybe. Maybe not. I have not attempted this myself.

But as mentioned before, you can use a network or vulnerability scanner that can guess if it is a vCenter or Apache web server if something is listening on port 443.

This was basically my point. A vCenter that doesn't manage any ESXi hosts is basically useless. So you have the possibility of users bring up their own ESXi hosts as well? Sounds like you've got a bigger problem than just checking for rogue vCenters...

We are have many admins, servers, vlan and they can create new esxi and i want to know about this.

How you block a create esxi in you network?

For exsample 1:

You have very much servers (virtual and hosts, test and production).

Admin create new esxi.

That would prevent him?

How and you detect it?

How you block it?

How you know about it?

For exsample 2:

Hacker penetrate to intranet (not ask how, just submit)

How he will look for vcenter/esxi for hack it?

I just assume the possibility it and want to protect.

Thanks.

If an admin has the ability and permissions to build a virtual infrastructure, that should be fine. Otherwise it is a security problem that has to be solved with security policies and organizational structures.

For an ESXi Server or vCenter to become a problem, several prerequisites must be met:

- Network connectivity to the company network must exists

- DNS must work (no other person uses an IP directly)

- Firewall access must be allowed (otherwise the host is isolated and can't do any harm)

- Someone has to put the server into operation.

So if you separate DNS, firewall, network and server management, and there are policies that require changes to be approved and documented by a team leader, one person cannot decide alone that an ESXi server can be deployed just like that.

For example, a person cannot configure the switch ports because he does not have permissions on the switches. Only network admins are allowed to. Or he cannot open the firewall for access from inside and outside. However, the people who are allowed to do so must obtain permission from their supervisor and it must be documented, etc. If someone violates these security guidelines, then it has consequences under labor law.

This is just a simple example. But you can scale this approach to any size and make it complex. The bottom line is that one person alone can never and must never manage all security-critical components. So it always takes several people to control each other.

Of course, someone can then operate a Nested ESXi on his laptop, which he simply attaches to the LAN socket in the company building. But what does he want to do with it? Nobody can reach it from the outside, he can probably only access the Internet via a proxy and he can only reach the productive systems via the firewall, just like with normal access via his laptop. Apart from the fact that it would be forbidden to do such a thing and he could be dismissed, he can do no more harm with it than with his laptop.

For security reasons, it makes sense to automatically monitor your network and be informed when suddenly hosts and services appear that should not be running. But usually it doesn't matter if this is an ESXi host, vCenter server, Apache web server, database or whatever.

I know some smaller companies that use self-programmed scripts based on nmap and I know big companies that use Nessus.

But there are certainly more tools and solutions for this.

Thank you for detailed answer!

So if you separate DNS, firewall, network and server management, and there are policies that require changes to be approved and documented by a team leader, one person cannot decide alone that an ESXi server can be deployed just like that.

- unfortunately for us - each admin may deploy esxi server. I will be think how separate it

Of course, someone can then operate a Nested ESXi on his laptop, which he simply attaches to the LAN socket in the company building. But what does he want to do with it? Nobody can reach it from the outside, he can probably only access the Internet via a proxy and he can only reach the productive systems via the firewall, just like with normal access via his laptop. Apart from the fact that it would be forbidden to do such a thing and he could be dismissed, he can do no more harm with it than with his laptop.

- he can use 4G and he can replace old physical server (with internet access) on esxi host. And i want prevent this situations  and if it happened - know ASAP.

For security reasons, it makes sense to automatically monitor your network and be informed when suddenly hosts and services appear that should not be running. But usually it doesn't matter if this is an ESXi host, vCenter server, Apache web server, database or whatever.

- absolutely agree. This questions "find vcenter" only a part of scan network. I thought that i can separate vmware from another servers.

Thank you! Will be think in this way.