Details
When the ESXi shell or SSH services are enabled on a host, they will run indefinitely. To avoid this, set the ESXiShellTimeOut, which defines a window of time after which the ESXi shell and SSH services will automatically be terminated.
It is recommended to set the ESXiShellInteractiveTimeOut together with ESXiShellTimeOut.
Rationale:
This reduces the risk of an inactive ESXi shell or SSH service being misused by an unauthorized party to compromise a host.
Solution
To set the timeout to the desired value, perform the following from the vSphere web client:
From the vSphere Web Client, select the host.
Click Configure then expand System.
Select Advanced System Settings then click Edit.
Enter ESXiShellTimeOut in the filter.
Set the value for this parameter is set to 3600 (1 hour) or less
Click OK.
Note: A value of 0 disables the ESXiShellTimeOut.
Alternately, run the following PowerCLI command:
# Set UserVars.ESXiShellTimeOut to 3600 on all hosts
Get-VMHost | Get-AdvancedSetting -Name ‘UserVars.ESXiShellTimeOut’ | Set-AdvancedSetting -Value ‘3600’
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system VMware.