VMware Cloud Community
captaindl
Contributor
Contributor
‎11-13-2019 06:47 AM
Jump to solution

Why do VMWare trainers strongly advise against leaving SSH enabled?

A few of my colleagues have been on VMWare ESXi training in the last few years and one of the things they brought back is that we should disable SSH.  While the trainers seem to be fairly clear on this as a policy none of my colleagues thought to ask why as it's not something that we have needed to use, until now.

As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.

Thanks,

Sam

0 Kudos
1 Solution

Accepted Solutions
daphnissov
Immortal
Immortal
‎11-13-2019 06:48 AM
Jump to solution

As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.

Yes, it's a matter of this. SSH is usually only something that needs to be enabled when performing manual troubleshooting work. So it's a best practice to leave it disabled until you actually need to use it.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

View solution in original post

0 Kudos
6 Replies
daphnissov
Immortal
Immortal
‎11-13-2019 06:48 AM
Jump to solution

As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.

Yes, it's a matter of this. SSH is usually only something that needs to be enabled when performing manual troubleshooting work. So it's a best practice to leave it disabled until you actually need to use it.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
jcv365
Contributor
Contributor
‎11-13-2019 07:12 AM
Jump to solution

You can allow certain ip addresses to connect to the ESXi hosts. THis will give you both the ability to ability to maintain, troubleshoot, and remediate issues as well as from security point of view only administrators or support staff will be allowed to access it via SSH.

0 Kudos
captaindl
Contributor
Contributor
‎11-13-2019 07:26 AM
Jump to solution

Thanks, I had a feeling it was just a reduction in attack surface as opposed to a problem with SSH itself but needed to be sure before I suggested opening it up on a few hundred servers.

0 Kudos
captaindl
Contributor
Contributor
‎11-13-2019 07:27 AM
Jump to solution

Thanks, that's a really good idea and was something I was going to look into next.

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎11-13-2019 08:31 AM
Jump to solution

It's mentioned in the vSphere hardening guide: Security Hardening Guides - VMware Security


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
lukebes1010
Enthusiast
Enthusiast
‎11-13-2019 11:40 AM
Jump to solution

Other than being a security best practice, other possible reason could also be found here - What Are Your SSH Security Risks? | Venafi

0 Kudos