Enable Remote shell in ESXi (ssh)

So you like to ssh/have console into your ESXi host don’t you?  You enjoy the raw power.  We all do but here are some reasons why it’s a bad idea:

  • Security risk – one more way into all your virtual machines that is commonly hacked
  • Memory waste – having it enabled eats memory, disabled uses none

If you are stuck on enabling it you might want to consider locking it down with the ESXi firewall enabling ssh connections from only a few known source ports.  Like this (from esxi host or vMA):

List current firewall rules:

esxcli network firewall ruleset list

This will output something like this:

Name Enabled
------------------ -------
sshServer true
sshClient false
nfsClient false
dhcp true
dns true
snmp true
ntpClient true
CIMHttpServer true
CIMHttpsServer true
CIMSLP true
iSCSI true
vpxHeartbeats true
updateManager false
faultTolerance true
webAccess true
vMotion true
vSphereClient true
activeDirectoryAll false
NFC true
HBR true
ftpClient false
httpClient false
gdbserver false
DVFilter false
DHCPv6 false
DVSSync false
syslog false
IKED false
WOL true
vSPC false
remoteSerialPort false
vprobeServer false

To show the firewall default actions run the following command:

esxcli network firewall get
Default Action: DROP
 Enabled: true
 Loaded: true

To see the current firewall rules on sshServer use the following:

esxcli network firewall ruleset list --ruleset-id sshServer
Name Enabled
--------- -------
sshServer true

See current allowed ip list:

esxcli network firewall ruleset allowedip list --ruleset-id sshServer
Ruleset Allowed IP Addresses
--------- --------------------
sshServer All

Turn the allow all list to false:

esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false

Add the 10.10.101.0/24 subnet to the ssh allow list:

esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 10.10.101.0/24

Check current list

esxcli network firewall ruleset allowedip list --ruleset-id sshServer

Now you have locked down your host access to ESXi ssh but I keep getting a warning on the host that ssh/console is enabled…. I love this error it really shows you vmware’s feelings about this feature.   Here is how you make it stop, well you can do it via the gui but let’s do it in the console:

esxcli system settings advanced set -o /UserVars/SuppressShellWarning -i 1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.