captaindl
Contributor
Contributor

Why do VMWare trainers strongly advise against leaving SSH enabled?

Jump to solution

A few of my colleagues have been on VMWare ESXi training in the last few years and one of the things they brought back is that we should disable SSH.  While the trainers seem to be fairly clear on this as a policy none of my colleagues thought to ask why as it's not something that we have needed to use, until now.

As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.

Thanks,

Sam

0 Kudos
1 Solution

Accepted Solutions
daphnissov
Immortal
Immortal

As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.

Yes, it's a matter of this. SSH is usually only something that needs to be enabled when performing manual troubleshooting work. So it's a best practice to leave it disabled until you actually need to use it.

View solution in original post

0 Kudos
6 Replies
daphnissov
Immortal
Immortal

As such, my question is, are there any real security concerns regarding allowing SSH access (over and above the other forms of access) or is it just a matter of if we are not using it then we shouldn't leave an extra surface to to attack.

Yes, it's a matter of this. SSH is usually only something that needs to be enabled when performing manual troubleshooting work. So it's a best practice to leave it disabled until you actually need to use it.

View solution in original post

0 Kudos
jcv365
Contributor
Contributor

You can allow certain ip addresses to connect to the ESXi hosts. THis will give you both the ability to ability to maintain, troubleshoot, and remediate issues as well as from security point of view only administrators or support staff will be allowed to access it via SSH.

0 Kudos
captaindl
Contributor
Contributor

Thanks, I had a feeling it was just a reduction in attack surface as opposed to a problem with SSH itself but needed to be sure before I suggested opening it up on a few hundred servers.

0 Kudos
captaindl
Contributor
Contributor

Thanks, that's a really good idea and was something I was going to look into next.

0 Kudos
scott28tt
VMware Employee
VMware Employee
0 Kudos
lukebes1010
Enthusiast
Enthusiast

Other than being a security best practice, other possible reason could also be found here - What Are Your SSH Security Risks? | Venafi

0 Kudos