Securing VMWare ESXi Host

--- tags: ccdc --- # Securing VMWare ESXi Host > Note: Everything is strategically orchestrated in this document. Do not skip lines or start later portions first. # Locking Down ESXi - Rayce B. Toms ## Requires SSH if Physical Console is not Accessible ### In the GUI, enable ssh and limit access to your VPN IP >Recommended: Also limit the `vSphereClient` service to your VPN network ```https://10.60.60.3/ui/#/host/networking/firewall``` > Note: > Under Monitoring, make sure your VPN IP is the same IP as when executing `ip a` > https://10.60.60.3/ui/#/host/monitor ### Steps after SSH-ing into the ESXi Server: #### Print Current Firewall Configuration ```sh esxcli network firewall get esxcli network firewall ruleset allowedip list ``` #### Load/Enable firewall and set default deny configuration ```sh esxcli network firewall load esxcli network firewall set --default-action false esxcli network firewall set --enabled true ``` #### Block all unnecessary services via script (written in vi) /tmp/fw.sh (avoid typos at all costs!): ```shell= services=$(esxcli network firewall ruleset list | awk '{print $1}' | grep -vE "(sshServer|vSphereClient|syslog|dns)") for service in $services; do esxcli network firewall ruleset set --ruleset-id "$service" --enabled false esxcli network firewall ruleset set --ruleset-id "$service" --allowed-all false done ``` Run script: > sh /tmp/fw.sh #### Set allowed addresses for management Web Interface >First command will hang all HTTPS connections ```sh esxcli network firewall ruleset set --ruleset-id vSphereClient --allowed-all false esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address <LOCAL VPN NETWORK> ``` syslog Client ``` esxcli network firewall ruleset allowedip add --ruleset-id dns --ip-address 10.120.0.201 ``` dns Client (may not be needed) ```sh esxcli network firewall ruleset allowedip add --ruleset-id dns --ip-address <ESXi DNS SERVER> ``` sshSever Service >Not needed if you limited access to your IP earlier >First command will hang all ssh connections ```sh esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address <SECURE SSH CLIENT> ``` #### Print and Verify Current Firewall Configuration ```sh esxcli network firewall get esxcli network firewall ruleset list esxcli network firewall ruleset allowedip list ``` > **Note: Make Sure syslog is set to true and the IP is 10.120.0.201** #### Show current connections (ESXi's version of netstat/ss) ```sh esxcli network ip connection list ``` #### Disable IPv6 (Requires reboot) ```sh esxcli network ip set --ipv6-enabled=false ``` > **Note: At this point, you should change user passwords** #### Delete or disable extra users List users: ```sh esxcli system account list ``` List users and their permissions: ```sh esxcli system permission list ``` Delete users: ```sh esxcli system account remove -i “<user>” ``` Disable users: ```sh esxcli system permission unset -i “<user>” ``` #### Expire Web Session after Resetting Password(s) ```shell /etc/init.d/hostd restart /etc/init.d/vpxa restart ``` ### Other stuff #### Remove all current ssh connections (May kill ssh server) ```sh lsof | grep :22 | grep sshd | awk '{print $1}' | xargs kill -9 ``` #### Reset Firewall Configuration to default script ```shell= services=$(esxcli network firewall ruleset list | awk '{print $1}' | grep -E "(sshServer|dhcp|dns|snmp|CIMHttpServer|CIMHttpsServer|CIMSLP|vpxHeartbeats|updateManager|faultTolerance|webAccess|vMotion|vSphereClient|NFC|HBR|DHCPv6|DVSSync|WOL|rabbitmqproxy|iofiltervp)") for service in $services; do esxcli network firewall ruleset set --ruleset-id "$service" --enabled true done services=$(esxcli network firewall ruleset list | awk '{print $1}') for service in $services; do esxcli network firewall ruleset set --ruleset-id "$service" --allowed-all true done ```