A few of my colleagues have been on VMWare ESXi training in the last few years and one of the things they brought back is that we should disable SSH. While the trainers seem to be fairly clear on this as a policy none of my colleagues thought to ask why as it's not something that we have needed to use, until now.
As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.
Thanks,
Sam
As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.
Yes, it's a matter of this. SSH is usually only something that needs to be enabled when performing manual troubleshooting work. So it's a best practice to leave it disabled until you actually need to use it.
As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.
Yes, it's a matter of this. SSH is usually only something that needs to be enabled when performing manual troubleshooting work. So it's a best practice to leave it disabled until you actually need to use it.
You can allow certain ip addresses to connect to the ESXi hosts. THis will give you both the ability to ability to maintain, troubleshoot, and remediate issues as well as from security point of view only administrators or support staff will be allowed to access it via SSH.
Thanks, I had a feeling it was just a reduction in attack surface as opposed to a problem with SSH itself but needed to be sure before I suggested opening it up on a few hundred servers.
Thanks, that's a really good idea and was something I was going to look into next.
It's mentioned in the vSphere hardening guide: Security Hardening Guides - VMware Security
Other than being a security best practice, other possible reason could also be found here - What Are Your SSH Security Risks? | Venafi