3.1 (L1) Host should deactivate SSH

Information

Secure Shell (SSH) provides remote access to the ESXi shell, enabling direct host console access or remote connectivity. Deactivating SSH is a security measure aimed at minimizing remote access channels to the ESXi host, restricting it to essential connections only through vSphere Client, vCLI/PowerCLI, or published APIs. The service status should be set to "Stopped", allowing manual start and stop for troubleshooting or diagnostic activities when necessary.

Limiting remote access by deactivating SSH reduces potential attack vectors, promoting a secure operating environment. Enabling SSH only for diagnostics or troubleshooting ensures controlled access, aligning with security best practices.

Solution

To disable SSH, perform the following:

- From the vSphere Web Client, select the host.
- Select Configure then expand System and select Services
- Click on SSH then click Edit Startup Policy
- Set the Startup Policy is set to Start and Stop Manually
- Click OK
- While ESXi Shell is still selected click Stop

Alternately, use the following PowerCLI command:

# Set SSH to start manually rather than automatically for all hosts
Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy Off

Impact:

There is no functional impact noted; however, the measure requires alternative methods for remote management, such as vSphere Client or command-line tools, which may demand additional configurations or toolset proficiency.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: VMware

Control ID: dfda115f76e43fe2e08ec9dab50177284f41c56cec9ca40af29f6ed4cc374baf