This is a small script that forms part of my build process, in addition to this I tend to set the tcpwarapers to only allow the Virtual Center to talk to the ESX and I try to keep the management network in a different isolated VLAN, if using ESXi I like to use PVLANS to restrict access to them, for both scenarios I change the certificates to self signed ones if no PKI inf available, mark for certificate verification and thru GPO set the self signed CA cert to the management machines, in the case of an isolated VLAN I set NTP Servers on the Switches for the inf, in addition a Win2k8 TS Gateway with a Win2k8 TS server are set for access to the management Network and rules are set for certificates also on this plus only SNMP or Syslog traffic can go out for monitoring, if using VUM a rule is set so that only vCenter goes out and communicates strictly with a set a of DNS servers and the outbound web proxy server. The windows firewall is also enabled on the vCenter machine to block access other that RDP, 443, 8083 and 902. Cheers, Carlos
On Mon, Sep 21, 2009 at 10:11 AM, Ben Greenfield <[email protected]> wrote: > Another major disadvantage that I see is that I believe doing this > requires enabled 'unsupported' mode in ESX. How do you weigh the > security benefit of account lockouts against the issue of potentially > voiding your support contract with vmware? I see issues like this > more and more with the newer (i series) ESX releases. They are only > going to become more common as well. Another example is running > Nessus scans (or any compliance scans) with credentials against > vmware. I don't think that the new releases come with SSH enabled by > default, and enabling SSH requires jumping into that unsupported mode. > Without SSH, you can do a credentialed compliance scan (for patches, > configuration, etc). Maybe someone know's a different way to enable > SSH that I'm not aware of as well. > > I'd be very interested to know people's thoughts about this. > > On Fri, Sep 18, 2009 at 12:22 PM, Tim Mugherini <[email protected]> > wrote: > > After chatting with Carlos and Mick about VMWare & ESX account lockout > > policies (or lack thereof) during the pre show last night, I thought I > would > > start an email string here. Carlos had mentioned something last night > about > > integration with AD policies. A while back someone had popped this into > the > > IRC channel (Carlos I think it was you actually). > > > > > http://blog.securitywhole.com/2009/09/01/brute-force-esx-usernamepassword.aspx > > > > So some sysadmins here came up with the following for the ESX console > > (warning have not tested yet). > > > > ------------------ > > > > To configure the ESX service console to disable the account after three > > unsuccessful login attempts, add the > > following lines to /etc/pam.d/system-auth: > > > > auth required /lib/security/pam_tally.so no_magic_root > > account required /lib/security/pam_tally.so deny=3 > > no_magic_root > > > > To create the file for logging failed login attempts, execute the > following > > commands: > > > > touch /var/log/faillog > > chown root:root /var/log/faillog > > chmod 600 /var/log/faillog > > > > ------------------- > > > > Of course a major disadvantage here would be DDOS by locking our any > built > > in accounts so a more robust solution would be desired. > > > > Thoughts? Might make an interesting blog post ;) > > > > Thanks > > > > Tim > > > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
esxbaseconfig.sh
Description: Bourne shell script
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
