SSH best practice, is it OK to leave it constantly...

lukeglazebrook · ‎05-04-2020

All,

Thanks for any help you can provide in advance, I am being pressed into leaving SSH enabled across out estate by the security team (all be it with IP limited rules in place). The purpose of this is so our security appliance’s can scan the hosts. Perhaps I am being slightly anal but this irks be so I thought I would run it past the community and get a more unbiased opinion. Aside from the fact it feels wrong and its seemingly an unnecessary service using up resource (admitedly a small amount) and will nag me with exclamation marks does anyone know if VMware verry specifically approve/disapprove of it?

I am also concerned that it might mean we are no longer PCS DSS complaint. I initially suggest we run a script to briefly disable it prior ot a scan. What are everyone else’s thoughts on the matter?

scott28tt · ‎05-04-2020

VMware's recommendation is on row 4: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vsphere-6.7-update-1-securit...

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

vjsysadmin · ‎05-29-2023

same here , any best practices ?

Arvind_Kumar11 · ‎05-29-2023

Please refer ESXi SSH security to plan better:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-EF55F930-AC17-46E...

All

SSH best practice, is it OK to leave it constantly enabled? Even with IP limiting FW rules? What are your thoughts