Hi All ...
In the fifteenth part of our series, we'll go through vSphere Security. We'll learn about how to protect ESXi Hosts, prevent malicious access to ESXi Hosts and vCenter Server and how to control ESXi Hosts Firewall.
Credits:
- Kyle Gleed
Now, Let's Start...
1. vSphere Hardening Guide:
Thanks to Mike Foley, this is an awesome guide to secure every aspect and component in your vSphere infrastructure. Many versions are there, starting vSphere 4.0 and all officially released by VMware.
http://www.vmware.com/security/hardening-guides.html
2. Creating New Firewall Policy Using .xml File:
To add a custom rule to ESXi Firewall, you have to add a .xml file in (./etc/vmware/ firewall) and add the required rule in this file using SSH client according to the following guide:
1-) Browse to (./etc/vmware/firewall).
2-) Copy fdm.xml to a new file using: (cp fdm.xml fdm_new.xml).
3-) Edit fdm_new.xml using: (vi fdm_new.xml).
4-) Add the required modification and make sure that the file format is (lines start with ## are comments and to be removed):
<ConfigRoot>
<service>
<id>Rule_Name</id> ##To identify Rule set name.
<rule id='0000'> ##To identify every part in the rule.
<direction>inbound</direction> ##To identify the connection direction.
<protocol>udp</protocol> ##To identify the protocol used.
<porttype>dst</porttype>
<port> ## To identify range of ports. For certain port (<port>653</port>)
<begin>0</begin>
<end>65535</end>
</port>
</rule>
<rule id='0001'>
<direction>outbound</direction>
<protocol>udp</protocol>
<porttype>src</porttype>
<port>
<begin>0</begin>
<end>65535</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
5-) Quit and save using ().
6-) Refresh firewall rule sets to get the newly added rule using: (esxcli network firewall refresh).
7-) List all firewall rule sets to make sure that the new rule is created using: (esxcli network firewall ruleset list).
Last, the following KB article by VMware summarizing it clearly:
3. Firewall Troubleshooting Using SSH:
The following KB article by VMware summarizing all SSH commands required for any operation on ESXi firewall with a nice description and the correct syntax for troubleshooting:
Although it’s mentioned that it’s for vSphere 5.0/5.1 only, but I think it also applies as well on vSphere 5.5 (confirmation needed).
4. Lockdown Mode:
Lockdown Mode is a security feature which enforces that all operations has to be done through vCenter Server. In Lockdown Mode, there’s no SSH, VMware CLI (through vMA connection or another server) or local Shell through DCUI as well as any management tools or 3rd party automation software.
For more information, you can check the following official article by VMware:
Keep in mind that, if you enable or disable lockdown mode using DCUI, permissions for users and groups on the host are discarded. To preserver these permissions, you must enable and disable lockdown mode using the vSphere (Web) Client connected to vCenter Server.
5. SSH Timeouts:
Troubleshooting and advanced management of vSphere environment is done through either local Shell command line or remote SSH. (Secure)Shell sessions can be controlled and secured using Shell timeouts.
Enabled from (Configuration-> Software Settings-> Adv. Settings-> UserVars).
ESXi Shell Timeout (ESXiShellTimeout): Idle time before stopping (Secure)Shell service but not terminating any session on ESXi host.
ESXi Shell Interactive Timeout (ESXiShellInteractiveTimeout): Idle time before only terminating (Secure)Shell session with ESXi host.
The following blog from VMware by Kyle Gleed is describing it more clearly:
https://blogs.vmware.com/vsphere/2012/09/vsphere-5-1-new-esxishellinteractivetimeout.html
6. ESXi 5.x Local Users & Password Locations:
Local users and their respective passwords are stored locally on ESXi 5.x hosts in the following locations:
Local users file: /etc/passwd
Passwords (saved as hash) file: /etc/shadow
7. Editing Password Complexity Requirements on ESXi 5.x:
ESXi 5.x hosts require local password with certain complexity level. This is controlled by Password Quality-control Pluggable Authentication Module (pam_passwdqc). For more information about pam_passwdqc, check the following article:
http://linux.die.net/man/8/pam_passwdqc
For changing the complexity requirements needed for setting local passwords, check the following KB article:
Keep in mind that, there’re some parameters mentioned in the first article may not work with ESXi 5.x hosts.
8. SSL Timeouts:
SSL timeouts control handshaking process to prevent attacks. (needs clarification for any use case)
Edited using VI tool through SSH. Path: /etc/vmware/hostd/config.xml
Read Timeout: Idle time after completing SSL handshake and connection is established on port 443.
Handshake Timeout: Idle time before completing SSL handshake, i.e. time taken before SSL connection is refused because of SSL handshake delay.
You have to add these lines at the correct location. This example shows how to add these settings with a value of 20000 ms. (20 seconds):
<vmacore>
...
<http>
<readTimeoutMs>20000</readTimeoutMs>
</http>
...
<ssl>
...
<handshakeTimeoutMs>20000</handshakeTimeoutMs>
...
</ssl>
</vmacore>
For more information, check the following article from VMware:
Share the Knowledge ...
Previous: vSphere 5.x Notes & Tips - Part XIV: