Hardening the host via Console

The ESXi console is very straightforward and provides easy keyboard navigation to access basic options. The most common use of the console is to configure the management network so that the host can be accessed from the network by vCenter and directly by the vSphere client management tool.

There are two primary areas to be highlighted with regard to security:

• Troubleshooting mode
• Lockdown mode

Getting ready

ESXi 5.5 must be installed on the physical host, and we must have direct access available to the keyboard and monitor in order to proceed with the local console steps. ESXi is part of the vSphere 5.5 download file and can be found at https://my.vmware.com/web/vmware/evalcenter?p=vsphere-55.

How to do it…

Perform the following steps:

1. Press any key to wake the server and change the black and gray screen to yellow. Once the system is awake, we need to log in.
2. Press F2 to enter configuration mode. We'll need to enter the root password by default.
3. Once the password is accepted, we move our cursor down to the Troubleshooting Mode Options menu item.
4. Selecting Troubleshooting Mode Options gives us the following configuration options, shown in the following screenshot:
   • Enable ESXi Shell
   • Enable SSH
   • Modify ESXi Shell and SSH timeouts
   • Restart Management Agents
   

   Specifically, we want to ensure that both the ESXi Shell and SSH are disabled.

5. Toggling between enabled and disabled can be done by using the Space bar to make the proper selection.
6. The second area to be noted is Configuration Lockdown Mode.

   Note

   You cannot set the lockdown if the host is not yet added to a vCenter. The option is disabled as shown in the following screenshot.

7. Configure Lockdown Mode is an option to lock down the host to the point where you cannot log in locally and only through vCenter. This option is enabled or disabled by selecting the option from the main System Customization menu (shown in the following screenshot):
   

How it works…

The console is used to configure remote access to the ESXi host that is not under the control of a vCenter server. In such cases, remote access can be provided by allowing SSH and remote shell connections to the host. The steps mentioned in the preceding section provide an example for enabling SSH.

Lockdown mode is recommend when the physical host is remote or in a location with questionable security. Ensure that a highly available vCenter configuration exists prior to enabling lockdown mode. If a single virtual vCenter server is used and this server becomes unresponsive, it is not possible to connect to the ESXi server by any remote means to restart the vCenter VM.

There's more

Configuring ESXi at the console is usually only done in smaller environments and special circumstances. More complex scenarios take advantage of deployment tools and host profiles to simplify the configuration.

ESXi Shell is a method used to script and speak to the host via command-line tools such as PowerCLI. In general, these options should remain disabled unless there is a specific need to manage the host outside vCenter. SSH is a key that service attackers use to infiltrate systems that are returned from a port scan run by the attacker. While SSH can be very helpful for troubleshooting or even for transferring files with programs such as FileZilla, it should be kept disabled until needed.