07-22-2021 10:50 PM
Hi All,
With more and more ransomware targeting ESXi, is there a way to disable SSH and enabled Lockdown on Hyperflex nodes without affecting it?
Solved! Go to Solution.
07-23-2021 10:26 AM - edited 07-23-2021 10:26 AM
Please take a look at https://www.cisco.com/c/dam/en/us/support/docs/hyperconverged-infrastructure/hyperflex-hx-data-platform/HX-Hardening_Guide.pdf
The answer is yes, but please note there are some caveats:
SSH (ESX) Lockdown Mode and Root Logins
ESX SSH lockdown mode can be enabled on each ESX node of the HX cluster. This applies only to a post-install
system. SSH traffic must not be blocked during install. Lockdown of SSH for ESXi is supported in HXDP 2.5 and
above. The following constraints apply to the deactivation of remote SSH access to the system for versions prior to
3.5(1a):
1. HX Snapshots for VMs are disabled (redo-log based snapshots still function).
2. The source VM for a ReadyClone operation must remain powered off for a cloning operation. Once the operation
is complete, the source VM can be powered back on. Clones themselves are unaffected.
3. System upgrades are disabled until SSH is re-enabled.
SSH needs to be enabled before cluster expansion can take place. It can be disabled again afterwards.
Kirk...
07-23-2021 10:26 AM - edited 07-23-2021 10:26 AM
Please take a look at https://www.cisco.com/c/dam/en/us/support/docs/hyperconverged-infrastructure/hyperflex-hx-data-platform/HX-Hardening_Guide.pdf
The answer is yes, but please note there are some caveats:
SSH (ESX) Lockdown Mode and Root Logins
ESX SSH lockdown mode can be enabled on each ESX node of the HX cluster. This applies only to a post-install
system. SSH traffic must not be blocked during install. Lockdown of SSH for ESXi is supported in HXDP 2.5 and
above. The following constraints apply to the deactivation of remote SSH access to the system for versions prior to
3.5(1a):
1. HX Snapshots for VMs are disabled (redo-log based snapshots still function).
2. The source VM for a ReadyClone operation must remain powered off for a cloning operation. Once the operation
is complete, the source VM can be powered back on. Clones themselves are unaffected.
3. System upgrades are disabled until SSH is re-enabled.
SSH needs to be enabled before cluster expansion can take place. It can be disabled again afterwards.
Kirk...
08-17-2022 06:11 AM
I know this is an old post but... I have enabled Lockdown mode and added the hxuser as an exception on one of my HX hosts for testing. Im wondering why alarms/warnings are created in vCenter and HX Connect for it being enabled when its supported? Is it ok to just reset the alerts to "green" and disable the monitor in vCenter?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide