| title | excerpt | updated |
|---|---|---|
Manage and secure your ESXi dedicated server from the outset |
Discover the various ways you can effectively secure your ESXi dedicated server |
2024-09-13 |
Warning
The ESXi hypervisor is no longer supported by OVHcloud. Find more information on this dedicated page.
The purpose of this guide is to help you optimise security for your ESXi system.
In particular, this guide explains how to:
- Restrict access to your ESXi server to a specific IP address or network range.
- Disable services that increase your server's attack surface.
We will do this using the on-board features offered by VMware, as well as those offered by OVHcloud.
Warning
Recently, ESXi systems fell victim to a security flaw that malicious groups exploited very quickly across public networks.
You can find more information on this attack in an additional FAQ.
- Update your ESXi systems regularly.
- Restrict access to trusted IP addresses only.
- Disable unused ports and services.
- Ensure access to your servers or network equipment is limited, controlled and protected with strong passwords.
- Back up your critical data to protected, isolated external disks and backup servers.
Optional:
- Set up the necessary logging solutions to monitor events on your critical servers and network equipment.
- Set up security packs for malicious action detection, intrusion detection (IPS/NIDS) and network traffic bandwidth control.
- Access to the OVHcloud Control Panel{.external}
- A dedicated server with the ESXi solution deployed
- An offer compatible with our Network Firewall feature, if you would like to use it for filtering
Reminder of its definition and operating principle:
[!primary]
The ESXi system includes a security mechanism linked to the administrator account. This is because, in the event of several incorrect access attempts, the administrator account is temporarily locked. This mechanism helps protect your system from malicious connection attempts.
Warning
If this system triggers and you want to log into your ESXi immediately, you will need to manually unlock the administrator account.
To do this, you will need to reboot your ESXi server via the OVHcloud Control Panel.
You can view the access log history in the following files via SSH:
/var/run/log/vobd.logcontains the logs that can be used for monitoring and troubleshooting:
2023-02-13T16:22:22.897Z: [UserLevelCorrelator] 410535559us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 6 failed login attempts.
2023-02-13T16:22:22.897Z: [GenericCorrelator] 410535559us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 6 failed login attempts.
2023-02-13T16:22:22.897Z: [UserLevelCorrelator] 410535867us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 6 failed login attempts.
/var/run/log/hostd.logcontains ESXi host logs (tasks, access to the web interface, etc.):
2023-02-21T08:44:19.711Z error hostd[2101004] [Originator@6876 sub=Default opID=esxui-d48c-26a4] [module:pam_lsass]pam_do_authenticate: error [login:root][error code:2]
2023-02-21T08:44:19.711Z error hostd[2101004] [Originator@6876 sub=Default opID=esxui-d48c-26a4] [module:pam_lsass]pam_sm_authenticate: failed [error code:2]
2023-02-21T08:44:19.712Z warning hostd[2101004] [Originator@6876 sub=Default opID=esxui-d48c-26a4] Rejected password for user root from xxx.xxx.xxx.xxx
2023-02-21T08:44:19.712Z info hostd[2101004] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxui-d48c-26a4] Event 175 : Cannot login [email protected]
All this information is also available through the web administration interface. Click the Host{.action} menu and navigate to the Monitor{.action} section, and then click Logs{.action}.
{.thumbnail}
[!primary]
As a reminder, the Network Firewall is not taken into account within the OVHcloud network. As a result, the configured rules do not affect connections from this internal network.
You can enable and use our Network Firewall filtering solution. This solution will allow you to easily manage legitimate access, in addition to the access you have set up through your ESXi system.
It will also prevent you from unexpectedly locking your administrator account in the event of an attack.
It is recommended that you filter legitimate access in this way:
- Rule 1 (Priority 0) allows trusted external networks to access your ESXi system.
- Rule 2 (Priority 1) blocks everything else.
{.thumbnail}
[!primary]
You can also filter access to your ESXi system with the built-in firewall. You can also disable unnecessary services, depending on your usage.
Warning
We strongly advise disabling SSH and SLP services. If you still use the SSH service, restrict its use and access as much as possible. This also applies to shell access. Prioritise only what is strictly necessary for each of your needs.
Services
Click the Host{.action} menu and navigate to the Manage{.action} section, then click Services{.action}.
In the list, find the TSM-SSH service and right-click on the associated line.
Stop the service by clicking Stop{.action}:
{.thumbnail}
Select the Policy, then edit it as shown in the example.
Choose the Start and stop manually{.action} option to prevent the service from being active when the server starts.
{.thumbnail}
Apply the same settings for the slpd service:
{.thumbnail}
Firewall rules
Click the Networking{.action} menu, then Firewall rules{.action}, and choose Edit settings{.action} for each service you want to protect:
{.thumbnail}
Edit the rule to add only IP addresses or networks that need access to your ESXi system.
Example that only allows connections from IP 192.168.1.10:
{.thumbnail}
Services
Disable unnecessary services:
- SLP Service
/etc/init.d/slpd stop
esxcli network firewall ruleset set -r CIMSLP -e 0
chkconfig slpd off- SSH Service
/etc/init.d/SSH stop
esxcli network firewall ruleset set -r sshServer -e 0
chkconfig SSH offCheck all active services at startup:
chkconfig --list | grep onFirewall rules
View existing firewall rules:
esxcli network firewall ruleset list
esxcli system account listExplanations for changing/adapting access rules:
- The
vSphereClientservice: This service corresponds to the web administration interface on port 443 (HTTPS).- The
sshServerservice: This service corresponds to SSH access on port 22.
Example with the vSphereClient service:
esxcli network firewall ruleset list --ruleset-id vSphereClientEnsure that the firewall rule is active:
esxcli network firewall ruleset set --ruleset-id vSphereClient --enabled trueDisplay the list of authorised IPs for this rule:
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClientResult:
Ruleset Allowed IP Addresses
------------- --------------------
vSphereClient All
Change the status of the tag by disabling it:
esxcli network firewall ruleset set --ruleset-id vSphereClient --allowed-all falseAuthorise only the legitimate IP address 192.168.1.10:
esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 192.168.1.10Check the access list for the address:
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClientResult:
Ruleset Allowed IP Addresses
------------- --------------------
vSphereClient 192.168.1.10
If you still want to use the SSH service, we will explain here how to set up SSH key access.
Generate the keys on the machine that needs to connect to the ESXi server. The 521-bit ECDSA algorithm should be used for maximum security:
Warning
Authentication works with a key pair: one public and one private. Do not share your private key, it must remain on the machine where it was generated.
Run the following command:
ssh-keygen -t ecdsa -b 521 -C "key-ecdsa-esxi-host" -f /path-to-my-key/key-ecdsaGenerating public/private ecdsa key pair.
Enter file in which to save the key (/path-to-my-key/key-ecdsa_rsa):
Enter a strong password:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Only the public key (key-ecdsa.pub) must be sent or stored on the machines you want to connect to.
Your identification has been saved in /path-to-my-key/key-ecdsa.
Your public key has been saved in /path-to-my-key/key-ecdsa.pub.
The key fingerprint is:
SHA256:******************************************* key-ecdsa-esxi-host
Transfer the public key to your ESXi host so that it can be declared as trusted:
cat /path-to-my-key/key-ecdsa.pub | ssh root@esxi-host-ip 'cat >> /etc/ssh/keys-root/authorized_keys'You can find even more details on security best practices in this VMware suggested guide.
Join our community of users.