Saturday, August 6, 2016

How to Fix ESXi 6.0 root account lockout


ESXi 6.0 introduces root account lockout. There're bunch of bots out there trying to brute-force attack your ssh/ESXi root password, making your root account easily vulnerable to be locked out. A good security practice to amend the issue is to enable SSH server on ESXi with KEY-BASED authentication ('PasswordAuthentication no' in /etc/ssh/sshd_config) then to enable ESXi firewall and restrict the ESXi vSpehere client to your static IP addresses as mentioned here:

esxcli network firewall set --enabled true
esxcli network firewall ruleset set -a=false -r=vSphereClient
esxcli network firewall ruleset allowedip add -i=Your.Static.IP.Address -r=vSphereClient


You need to limit your SSH port as well:

esxcli network firewall set --enabled false
esxcli network firewall ruleset set -a=false -r=sshServer
esxcli network firewall ruleset allowedip add -i=Your.Static.IP.Address -r=sshServer

esxcli network firewall set --enabled true

No comments:

Post a Comment