Home / server / Questions / 309942
Accepted
c33s
Asked: 2011-09-10 17:14:47 +0800 CST

how to secure an vmware esxi host on a root server?

  • 772

for me, a vmware machine normally has 2 lan interfaces, one connected with the lan or the management computer and the 2nd one connected with the wan interface for public access.

so security is ensured by having a firewall in front of the "public network card" of vmware and only making it possible to access the managment interface over the "private network card".

but how do i ensure security, if i install vmware esxi 5.0 on normal dedicated root server with multiple public ips, without a firewall in front of the server, without any (for me accessable) routing before the server, without multiple network interfaces?

i found the article about the firewall: http://www.virtualizationadmin.com/articles-tutorials/vmware-esx-and-vsphere-articles/networking/understanding-vmware-esx-server-security-profiles.html

but on which ip is the port open? is it bound to all public ips? can i bind the management interface to a specific ip? how to bind one ip to the management interface and the rest to one or more virtual machines?

i thought about making a vlan inside esxi and let building up a vpn over a routing vm, and making the managment console only accessable with an ip from the vpn but i tastes a little bit after how to lock myself out.

any hints?

edit: root server like: server4you.com/root-server a single server where vmware is installed, "directly" connected to the internet -> directly attackable, not in a well secured lan

edit2: keep in mind, that people who don't have english as their first language, maybe define things, like "root server" different than you. please comment on the question and write something about how making the question more clear for you.

maybe this phraseing is better: how to make a vmware esxi 5.0 server secure, which has only one network card and is directly connected to the internet?

i have no experience with securing esxi connected like that to net, if i run a virtualization like kvm or vserver it is rather easy, just securing the host server with a iptables firewall and also handle the routing there.

i havn't found a good info about my problem googleing for it, its quite a special problem, companies how do virtualization have a whole cluster of vmware servers and often not only one firewall in front of them.

so they simple don't have to secure a single vmware esxi host without an extra firewall and only a single network interface. others maybe don't virtualize or do not care about security.

so i ask the downvoters, is this question so bad?

firewall routing security vmware-esxi

1 Answers

  1. Best Answer

    so c33s, i've got a answer for you after researching this topic myself :-)

    i'll state 4 steps for ESXi 4 (should work on 5 as well). on ESXi 5 VMware included a packet filter (you should find many on this topic on google).

    let's get started: first you need SSH access to your ESXi. here are the 4 steps to improve the situation on a root server a bit:

    1) remove ESXi welcome screen: a request to https://your-esxi/ shows a page telling you how to get started with ESXi. Nobody needs to now this exept you. So read it and after that rename the file:

    mv /usr/lib/vmware/hostd/docroot/index.html /usr/lib/vmware/hostd/docroot/index.html.bak

    2) allow only auth_key login on ssh generate an SSH auth_key for your admin machine (i call it "YOUR-SSH-RSA" further in text). check your setup by running this code on your ESXi

    mkdir /.ssh
chmod 0600 -R /.ssh
echo "YOUR-SSH-RSA" >> /.ssh/authorized_keys

    Check if logging in works. If so, you can put these lines into rc.local using

    vi /etc/rc.local

    This is needed because ESXi forgets about this after a reboot. To disable password login do the following:

    vi /etc/inetd.conf

    Add parameter -s to following lines:

    ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -K60
ssh stream tcp6 nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -i -K60

    Should look like this afterwards:

    ssh stream tcp nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -s -i -K60
ssh stream tcp6 nowait root /sbin/dropbearmulti dropbear ++min=0,swap,group=shell -s -i -K60

    reboot (or atleast restarting inetd) is needed to take effect.

    3) Change SSH default port

    vi /etc/services

    search for

    ssh             22/tcp                         # SSH Remote Login Protocol
ssh             22/udp                         # SSH Remote Login Protocol

    change the port 22 to what ever you like. look out for conflicts with other ports!

    reboot (or atleast restarting inetd) is needed to take effect.

    4) Change routing Because ESXi 4 has no packet filter we need to change the routing so it doesn't know how to talk to everyone. this is a bit dangerous, because wrong routing could lead to an ESXi-Management only reachable from local console! You need a static IP or known Network from which you want to administer your ESXi. We add a route to this and delete the default route afterwards.

    esxcfg-route -a x.x.x.x/sub y.y.y.y

    where "x.x.x.x" is your network or ip. "sub" the subnet mask. and "y.y.y.y" your gateway.

    for example we have a ESXi with default gateway 12.34.56.78 and want to add only a single ip 98.76.54.21 the command is

    esxcfg-route -a 98.76.54.21/32 12.34.56.78

    check if your route is correctly set:

    esxcfg-route -l

    if so, delete your default route

    esxcfg-route -d default y.y.y.y

    When all was done correct, you should still reach your ESXi. If not you have to log in localy and change everything back.

    • 2