Details
The ESXi shell, when enabled, can be accessed directly from the host console
through the DCUI or remotely using SSH. Disable Secure Shell (SSH) for each ESXi host to prevent
remote access to the ESXi shell, and only enable SSH when needed for troubleshooting or diagnostics.
*Rationale*
Remote access to the host should be limited to the vSphere Client, remote command-line tools (vCLI/PowerCLI),
and through the published APIs. Under normal circumstances, remote access to the host using SSH should be disabled.
Solution
To verify SSH is disabled, perform the following:
1. From the vSphere web client, select the host.
2. Select “Configure” -> “System” -> “Security Profile”.
3. Scroll down to “Services”.
4. Click “Edit…”.
5. Select “SSH”.
6. Verify the Startup Policy is set to “Start and Stop Manually”.
Alternately, the following PowerCLI command may be used:
# Check if SSH is running and set to start
Get-VMHost | Get-VMHostService | Where { $_.key -eq “TSM-SSH” } | Select VMHost, Key, Label, Policy, Running, Required
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system VMware.