October 04, 2021

#CyberAwarenessMonth: Deactivate SSH

On Day 4 of the Cybersecurity Awareness Month we audit our SSH configurations to make sure it's deactivated, which reduces attack surface and improves security.

(It’s October so that means it’s #CyberAwarenessMonth! We should all be working to improve our security posture throughout the rest of the year, but October is a good time to talk about it collectively. We’ll be publishing a post every weekday with something actionable you can do RIGHT NOW to help make your security better.)

Are you running vSphere with SSH enabled?

If so, I’m here to ask you why. Perhaps you enabled SSH because you needed to do something that seemed easier from the command line. Maybe you enabled it to do some troubleshooting and didn’t deactivate it again. Maybe you need to copy some VM logs or dumps off the host. Or perhaps you mistook “vCenter Server HA” for “vSphere HA” in the vCenter Server installer, and let it enable SSH to support that. Very understandable. For the sake of security, let’s deactivate it now.

ESXi and vCenter Server use SSH as a troubleshooting & support interface. That support interface is a back door to the underpinnings of vSphere. It might seem fun to mess around in there, but there isn’t really a permission model. On ESXi, anyone logging in to the shell is basically the equivalent of ‘root’ on a Linux system. That’s dangerous to leave lying around for attackers to find. While all the actions at the shell prompt are logged to syslog, it’s still a better idea to do management through vCenter Server where there’s a full role-based access control model.

Leaving SSH enabled also complicates audits if your organization is subject to regulatory compliance. Many audits entail a scan for services and patches, and when the scanners find something with SSH enabled they assume it’s a Linux host. ESXi is not Linux, and those assumptions create lots of problems during a scan. At best, it’ll result in lots of extra work to sort through. At worst, the people doing the scanners will try to log in as a user, and if they do the scanners can cause operational problems.

Many compliance frameworks are specific about securing SSH. The best way to secure SSH is to not run it in the first place, making for a very short discussion with compliance auditors! I’m not kidding, at all, but your mileage may vary with the auditor.

On vSphere we recommend only enabling SSH to do specific tasks, then returning it to the secure default state of deactivated & not running.

Audit SSH on ESXi

So how do we find where we might be running SSH? You already likely know how to do it with the UI, so let’s try it with PowerCLI. Once you’ve connected with “Connect-ViServer” you can use:

Get-VMHost | Get-VMHostService | Where-Object {$_.Key -eq 'TSM-SSH' -and $_.Running -eq 'True'}

To find the hosts that have service running (“TSM” is Technical Support Mode, by the way). To shut SSH off, try:

Get-VMHost | Get-VMHostService | Where-Object {$_.Key -eq 'TSM-SSH'} | Set-VMHostService -Policy Off
Get-VMHost | Get-VMHostService | Where-Object {$_.Key -eq 'TSM-SSH'} | Stop-VMHostService

There’s one more thing, though. To have SSH running you, or someone around you, probably deactivated the warning banner for it. We should re-enable that warning so we know if something’s wrong in the cluster (like an attacker that’s enabled SSH, or someone doing some digging around they shouldn’t be doing). We can do that with:

Get-VMHost | Get-AdvancedSetting UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 0

(You can find all these commands in the vSphere Security Configuration Guide, too!)

Audit SSH on vCenter Server

Did you know that vCenter Server has an API, too? Indeed, it does, and the latest versions of PowerCLI make it very easy to use. Connect with Connect-ViServer and you can query using:

Invoke-GetAccessSsh

That’ll return “True” if it’s enabled, and nothing if it’s deactivated . You can do this in PowerCLI with:

$AccessSshSetRequestBody = Initialize-AccessSshSetRequestBody -Enabled $false
Invoke-SetAccessSsh -AccessSshSetRequestBody $AccessSshSetRequestBody

(I’d love to take credit for my scripting ability but in reality I’m stealing all of this from the PowerCLI documentation! Check it out, and update to PowerCLI 12.4 or newer.)

Come Back Tomorrow For More

This is the second installment of our posts for Cybersecurity Awareness Month. Other posts are at:

As always, you can find good security guidance from VMware itself in the form of the vSphere Security Configuration Guide. It gets updated following vSphere releases so check back to make sure you’re using the latest version.

Filter Tags

Security Cloud Foundation Cloud Foundation 3.9 Cloud Foundation 4 Cloud Foundation 4.2 Cloud Foundation 4.2.1 Cloud Foundation 4.3 Cloud Foundation 4.3.1 ESXi ESXi 6.5 ESXi 6.7 ESXi 7 vCenter Server vCenter Server 6.5 vCenter Server 6.7 vCenter Server 7 vSphere vSphere 6.5 vSphere 6.7 vSphere 7 Blog