[Discuss] Securing a VMware ESXi server at a colo site?

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of John Abreau
> 
> I'm considering using the free edition of VMware ESXi 5.5 at a co-location
> site. If I understand correctly, the free edition doesn't include the
> management console application, so I would have to manage it via a web
> browser.
> 
> How do I set it up so I can manage it remotely in a secure manner?
> 
> My initial thoughts are to close every port on the host server except ssh,
> and lock down ssh in the usual manner: disable protocol 1, disable password

Nope, nope, nope, nope.

First of all, ESXi is not to be managed via ssh.  Although you can enable ssh, and lots of useful things can be done that way, it's the most difficult way to do anything, it's unsupported, and lots of unexpected gotchas will certainly getchya.  The "right" thing to do is to install vSphere Client on a windows machine, and use it to remote admin the server.  The *only* thing you should do outside of vSphere Client, is to boot from the install disk, enter IP address, and root password during bare metal installation.  Also configure your RAID card in BIOS.

That being said - you absolutely, definitely, should not open vSphere traffic over the internet.  You'll need a VPN, connected to the "primary" network interface of the ESXi host, which you'll use for management.  Let all the VM's use a different ethernet jack, so the VM traffic is isolated from the management traffic.  The only way to get to the management interface is via your VPN.