Skip to content

ESXi host protection

One of the ways to protect ESXi hosts is to patch the host to the latest build as per VMware Security Advisories guidelines. While this may take resources/time, please consider to limit user to access to ESXi host management network or create a separate management network with access via Jumphost. In addition, it is also a good practice to set strong password policy, limit access to few users and set host into Lockdown mode. Separately it is also highly recommended to disable SSH and ESXi Shell services. Only enabled when required and stop the services once completed.

Here is a simple PowerCLi:

Stop SSH Service:

Get-VMHost | Where-Object {$_.ConnectionState -ne “NotResponding”} | Get-VMHostService | Where-Object {$_.Key -eq “TSM-SSH”} | Stop-VMHostService -Confirm:$false

Stop ESXi Shell Service:

Get-VMHost | Where-Object {$_.ConnectionState -ne “NotResponding”} | Get-VMHostService | Where-Object {$_.Key -eq “TSM”} | Stop-VMHostService -Confirm:$false

Configure SSH Startup Policy:

Get-VMhost | Where-Object {$_.ConnectionState -ne “NotResponding”} | Foreach {Set-VMHostService -HostService ($_ | Get-VMHostService | where {$_.key -eq “TSM-SSH”}) -policy On} -Confirm:$false

Configure ESXi Shell Startup Policy:

Get-VMhost | Where-Object {$_.ConnectionState -ne “NotResponding”} | Foreach {Set-VMHostService -HostService ($_ | Get-VMHostService | where {$_.key -eq “TSM”}) -policy On} -Confirm:$false

To further increase the security access, kindly consider to implement Timeout Session:

Set ESXi Shell timeout to 5 mins

Get-VMHost | Get-AdvancedSetting -Name’UserVars.ESXiShellInteractiveTimeout’ | Set-AdvancedSetting -Value “300”

Set ESXi SSH timeout to 5 mins

Get-VMHost | Get-AdvancedSetting -Name’UserVars.ESXiShellTimeout’ | Set-AdvancedSetting -Value “300”

Set ESXi DCUI timeout to 5 mins

Get-VMHost | Get-AdvancedSetting -Name’UserVars.DcuiTimeout’ | Set-AdvancedSetting -Value “300”

Please validate the PowerCLi commands listed above in a test environment before implementing in Production.

Tags:

Leave a Reply