VMware Cloud Community
Dthompson04
Contributor
Contributor
‎06-12-2019 11:03 AM

How to Security Harden vSphere 6.7 CLI commands

Hello everyone,

I've just completed a build on an ESXi 6.7 cluster and trying to lock down the security with best practices.  I'm finding loads of documentation and videos on the subject, but nothing on the actual commands.

EXAMPLE:

I'm trying to remove unwanted ciphers being used from the install, below is the command and output.

grep -i "^Ciphers" /etc/ssh/sshd_config

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

What I want to do now is remove unwanted ciphers referencing openssh.com.  Like I said I've been searching the internet, but nothing is coming up or it only discusses the subject and not how to do it.

In the attachment I've uploaded I search for grep and nothing returns  From the document I take key commands and they don't work in the cli of the ESXi 6.5 or 6.7 host.

What are the standard procedures for making command line changes and updates on ESXi servers?  Is there a reference available discussing the proper commands?

ESXi6-7_ESXCLI_Command-Ref.txt.zip
0 Kudos
3 Replies
vXav
Expert
Expert
‎06-13-2019 01:51 AM

I can't help you with the disabling of ciphers. However, the security best practices is to keep SSH disabled when you are not using it.

Be careful when making custom changes that are not documented as you might have trouble getting official support when you need it and it makes configuration management more difficult.

If you are looking at securing you hosts you can check out the Security Configuration Guide (formerly hardening guide).

It is getting thinner and thinner as most of the security guideline are being implemented in the code of ESXi itself.

You will find an excel file with recommendations in which you get cli and powercli commands to set them.

Since vSphere 6.0 part of the hardening guide was moved to the vSphere doc so worth having a look as well maybe.


Blog - Linkedin
0 Kudos
Dthompson04
Contributor
Contributor
‎06-13-2019 11:49 AM

vXav,

I have the below guides and the "Mastering VMware vSphere 6.7" book, the problem is on CLI related issues.  I know the GREP commands to run, but I can't find the method to make changes to the particular item to be modified to correct the dependency.

vsphere-esxi-vcenter-server-67-networking-guide

vsphere-esxi-vcenter-server-67-performance-best-practices

vsphere-esxi-vcenter-server-67-security-guide

vsphere-esxi-vcenter-server-67-storage-guide

vsphere-esxi-vcenter-server-67-command-line-interface-getting-started-guide

Below are some of the GREP output that I need to modify yet I haven't found the correct command sets to make changes.

grep -i "^Ciphers" /etc/ssh/sshd_config

"Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc"

Want to remove cbc and aes128 ciphers

grep -i "^IgnoreRhosts" /etc/ssh/sshd_config

Should be "IgnoreRhosts yes"

grep -i "^HostbasedAuthentication" /etc/ssh/sshd_config

Should be HostbasedAuthentication no"

grep -i "^PermitRootLogin" /etc/ssh/sshd_config

Should be "PermitRootLogin no"

grep -i "^PermitEmptyPasswords" /etc/ssh/sshd_config

Should be "PermitEmptyPasswords no"

These are just a few of the settings that need to be modified and they are all command line related.  The other issues I know what to do with, but I have to work with other departments.

0 Kudos
vXav
Expert
Expert
‎06-14-2019 01:18 AM

I see. Sorry I can't be of any help with that.

I suggest you open a support ticket with VMware.

Also not sure but these changes might not be persisted across reboots, you may want to check that whenever you find your answer.


Blog - Linkedin
0 Kudos