Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
10
Helpful
2
Replies

Can Hyperflex run with SSH disabled and Lockdown enabled?

Go to solution
Owk
Level 1
Level 1

‎07-22-2021 10:50 PM

Hi All,

 

With more and more ransomware targeting ESXi, is there a way to disable SSH and enabled Lockdown on Hyperflex nodes without affecting it?

 

 

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Kirk J
Cisco Employee
Cisco Employee

‎07-23-2021 10:26 AM - edited ‎07-23-2021 10:26 AM

Please take a look at https://www.cisco.com/c/dam/en/us/support/docs/hyperconverged-infrastructure/hyperflex-hx-data-platform/HX-Hardening_Guide.pdf

The answer is yes, but please note there are some caveats:

SSH (ESX) Lockdown Mode and Root Logins
ESX SSH lockdown mode can be enabled on each ESX node of the HX cluster. This applies only to a post-install
system. SSH traffic must not be blocked during install. Lockdown of SSH for ESXi is supported in HXDP 2.5 and
above. The following constraints apply to the deactivation of remote SSH access to the system for versions prior to
3.5(1a):
1. HX Snapshots for VMs are disabled (redo-log based snapshots still function).
2. The source VM for a ReadyClone operation must remain powered off for a cloning operation. Once the operation
is complete, the source VM can be powered back on. Clones themselves are unaffected.
3. System upgrades are disabled until SSH is re-enabled.
SSH needs to be enabled before cluster expansion can take place. It can be disabled again afterwards.

 

Kirk...

View solution in original post

2 Replies 2

Go to solution
Kirk J
Cisco Employee
Cisco Employee

‎07-23-2021 10:26 AM - edited ‎07-23-2021 10:26 AM

Please take a look at https://www.cisco.com/c/dam/en/us/support/docs/hyperconverged-infrastructure/hyperflex-hx-data-platform/HX-Hardening_Guide.pdf

The answer is yes, but please note there are some caveats:

SSH (ESX) Lockdown Mode and Root Logins
ESX SSH lockdown mode can be enabled on each ESX node of the HX cluster. This applies only to a post-install
system. SSH traffic must not be blocked during install. Lockdown of SSH for ESXi is supported in HXDP 2.5 and
above. The following constraints apply to the deactivation of remote SSH access to the system for versions prior to
3.5(1a):
1. HX Snapshots for VMs are disabled (redo-log based snapshots still function).
2. The source VM for a ReadyClone operation must remain powered off for a cloning operation. Once the operation
is complete, the source VM can be powered back on. Clones themselves are unaffected.
3. System upgrades are disabled until SSH is re-enabled.
SSH needs to be enabled before cluster expansion can take place. It can be disabled again afterwards.

 

Kirk...

Go to solution
rjohnson5
Level 1
Level 1
In response to Kirk J

‎08-17-2022 06:11 AM

I know this is an old post but... I have enabled Lockdown mode and added the hxuser as an exception on one of my HX hosts for testing.  Im wondering why alarms/warnings are created in vCenter and HX Connect for it being enabled when its supported?  Is it ok to just reset the alerts to "green" and disable the monitor in vCenter?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card