Thanks for the great info and script Carlos Any recommendations on account lockout and preventing a DDOS in the form of?
thanks again tim On Mon, Sep 21, 2009 at 1:52 PM, Carlos Perez <[email protected] > wrote: > This is a small script that forms part of my build process, in addition to > this I tend to set the tcpwarapers to only allow the Virtual Center to talk > to the ESX and I try to keep the management network in a different isolated > VLAN, if using ESXi I like to use PVLANS to restrict access to them, for > both scenarios I change the certificates to self signed ones if no PKI inf > available, mark for certificate verification and thru GPO set the self > signed CA cert to the management machines, in the case of an isolated VLAN I > set NTP Servers on the Switches for the inf, in addition a Win2k8 TS Gateway > with a Win2k8 TS server are set for access to the management Network and > rules are set for certificates also on this plus only SNMP or Syslog traffic > can go out for monitoring, if using VUM a rule is set so that only vCenter > goes out and communicates strictly with a set a of DNS servers and > the outbound web proxy server. The windows firewall is also enabled on the > vCenter machine to block access other that RDP, 443, 8083 and 902. > Cheers, > Carlos > > > On Mon, Sep 21, 2009 at 10:11 AM, Ben Greenfield <[email protected]>wrote: > >> Another major disadvantage that I see is that I believe doing this >> requires enabled 'unsupported' mode in ESX. How do you weigh the >> security benefit of account lockouts against the issue of potentially >> voiding your support contract with vmware? I see issues like this >> more and more with the newer (i series) ESX releases. They are only >> going to become more common as well. Another example is running >> Nessus scans (or any compliance scans) with credentials against >> vmware. I don't think that the new releases come with SSH enabled by >> default, and enabling SSH requires jumping into that unsupported mode. >> Without SSH, you can do a credentialed compliance scan (for patches, >> configuration, etc). Maybe someone know's a different way to enable >> SSH that I'm not aware of as well. >> >> I'd be very interested to know people's thoughts about this. >> >> On Fri, Sep 18, 2009 at 12:22 PM, Tim Mugherini <[email protected]> >> wrote: >> > After chatting with Carlos and Mick about VMWare & ESX account lockout >> > policies (or lack thereof) during the pre show last night, I thought I >> would >> > start an email string here. Carlos had mentioned something last night >> about >> > integration with AD policies. A while back someone had popped this into >> the >> > IRC channel (Carlos I think it was you actually). >> > >> > >> http://blog.securitywhole.com/2009/09/01/brute-force-esx-usernamepassword.aspx >> > >> > So some sysadmins here came up with the following for the ESX console >> > (warning have not tested yet). >> > >> > ------------------ >> > >> > To configure the ESX service console to disable the account after three >> > unsuccessful login attempts, add the >> > following lines to /etc/pam.d/system-auth: >> > >> > auth required /lib/security/pam_tally.so no_magic_root >> > account required /lib/security/pam_tally.so deny=3 >> > no_magic_root >> > >> > To create the file for logging failed login attempts, execute the >> following >> > commands: >> > >> > touch /var/log/faillog >> > chown root:root /var/log/faillog >> > chmod 600 /var/log/faillog >> > >> > ------------------- >> > >> > Of course a major disadvantage here would be DDOS by locking our any >> built >> > in accounts so a more robust solution would be desired. >> > >> > Thoughts? Might make an interesting blog post ;) >> > >> > Thanks >> > >> > Tim >> > >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
