So you like to ssh/have console into your ESXi host don’t you? You enjoy the raw power. We all do but here are some reasons why it’s a bad idea:
- Security risk – one more way into all your virtual machines that is commonly hacked
- Memory waste – having it enabled eats memory, disabled uses none
If you are stuck on enabling it you might want to consider locking it down with the ESXi firewall enabling ssh connections from only a few known source ports. Like this (from esxi host or vMA):
List current firewall rules:
esxcli network firewall ruleset list
This will output something like this:
Name Enabled ------------------ ------- sshServer true sshClient false nfsClient false dhcp true dns true snmp true ntpClient true CIMHttpServer true CIMHttpsServer true CIMSLP true iSCSI true vpxHeartbeats true updateManager false faultTolerance true webAccess true vMotion true vSphereClient true activeDirectoryAll false NFC true HBR true ftpClient false httpClient false gdbserver false DVFilter false DHCPv6 false DVSSync false syslog false IKED false WOL true vSPC false remoteSerialPort false vprobeServer false
To show the firewall default actions run the following command:
esxcli network firewall get
Default Action: DROP Enabled: true Loaded: true
To see the current firewall rules on sshServer use the following:
esxcli network firewall ruleset list --ruleset-id sshServer
Name Enabled --------- ------- sshServer true
See current allowed ip list:
esxcli network firewall ruleset allowedip list --ruleset-id sshServer
Ruleset Allowed IP Addresses --------- -------------------- sshServer All
Turn the allow all list to false:
esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false
Add the 10.10.101.0/24 subnet to the ssh allow list:
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 10.10.101.0/24
Check current list
esxcli network firewall ruleset allowedip list --ruleset-id sshServer
Now you have locked down your host access to ESXi ssh but I keep getting a warning on the host that ssh/console is enabled…. I love this error it really shows you vmware’s feelings about this feature. Here is how you make it stop, well you can do it via the gui but let’s do it in the console:
esxcli system settings advanced set -o /UserVars/SuppressShellWarning -i 1