5.4 Ensure SSH is disabled

Information

The ESXi shell, when enabled, can be accessed directly from the host console through the DCUI or remotely using SSH. Disable Secure Shell (SSH) for each ESXi host to prevent remote access to the ESXi shell, and only enable SSH when needed for troubleshooting or diagnostics.

Rationale:

Remote access to the host should be limited to the vSphere Client, remote command-line tools (vCLI/PowerCLI), and through the published APIs. Under normal circumstances, remote access to the host using SSH should be disabled.

Impact:

Disabling SSH may impact the ability to complete assessments with some third-party tools and may need to be temporarily enabled for these tools to function.

Solution

To disable SSH, perform the following:

From the vSphere web client, select the host.

Select 'Configure' -> 'System' -> 'Security Profile'.

Scroll down to 'Services'.

Click 'Edit...'.

Select 'SSH'.

Click 'Stop'.

Change the Startup Policy to 'to Start and Stop Manually'.

Click 'OK'.

Alternately, use the following PowerCLI command:

# Set SSH to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq 'TSM-SSH' } | Set-VMHostService -Policy Off

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: VMware

Control ID: 19e144a17854a10d371cfd85f0b5e369ba500f9efb84e89e6df0d002759c7626