Securing vCenter vSphere

--- tags: ccdc --- # Securing vCenter vSphere > Note: Everything is strategically orchestrated in this document. Do not skip lines or start later portions first. ## Can be completed via Console or SSH ### Accessing Console Disable SSH (if not needed) under `Troubleshooting Mode Options` Use `ALT + F1` to switch to the vCenter shell and sign in as root. >Note: `ALT + F2` can be used to switch back to the management console. ### vSphere Default Open ports : ```bash root@kali:~# nmap 192.168.5.10 -p- --open ``` >Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-25 23:29 AKDT Nmap scan report for 192.168.5.10 Host is up (0.084s latency). Not shown: 65508 filtered ports PORT STATE SERVICE 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 514/tcp open shell 636/tcp open ldapssl 1514/tcp open fujitsu-dtcns 2012/tcp open ttyinfo 2014/tcp open troff 2015/tcp open cypress 2020/tcp open xinupageserver 5480/tcp open unknown 5580/tcp open tmosms0 7444/tcp open unknown 8084/tcp open unknown 9084/tcp open aurora 9443/tcp open tungsten-https #### Firewall Configuration ```sh # Drop all IPv6 and reset IPv4 rules ip6tables -P DROP INPUT ip6tables -P DROP OUTPUT ip6tables -P DROP FORWARD ip6tables -t nat -F ip6tables -t mangle -F ip6tables -F ip6tables -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X # Inbound Restrictions # Define source addresses and destination ports as needed iptables -A INPUT -s 10.69.69.0/24 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables-dropped: " --log-level 4 iptables -A LOGGING -j DROP iptables -L ```