Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Securing a VMware ESXi server at a colo site?

> From: Discuss [ at] On
> Behalf Of John Abreau
> I'm considering using the free edition of VMware ESXi 5.5 at a co-location
> site. If I understand correctly, the free edition doesn't include the
> management console application, so I would have to manage it via a web
> browser.
> How do I set it up so I can manage it remotely in a secure manner?
> My initial thoughts are to close every port on the host server except ssh,
> and lock down ssh in the usual manner: disable protocol 1, disable password

Nope, nope, nope, nope.

First of all, ESXi is not to be managed via ssh.  Although you can enable ssh, and lots of useful things can be done that way, it's the most difficult way to do anything, it's unsupported, and lots of unexpected gotchas will certainly getchya.  The "right" thing to do is to install vSphere Client on a windows machine, and use it to remote admin the server.  The *only* thing you should do outside of vSphere Client, is to boot from the install disk, enter IP address, and root password during bare metal installation.  Also configure your RAID card in BIOS.

That being said - you absolutely, definitely, should not open vSphere traffic over the internet.  You'll need a VPN, connected to the "primary" network interface of the ESXi host, which you'll use for management.  Let all the VM's use a different ethernet jack, so the VM traffic is isolated from the management traffic.  The only way to get to the management interface is via your VPN.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /