Tuesday, October 11, 2011

Securing VMware ESX 3.5, Vsphere 4.1

How many of you, do assume the VMware Vsphere does provide the highest security?I always believe human will be always the weakness in any security change.(e.g. what happen if your vmware host have a weak password). Then my question to you, this is human problem or VMware problem?

Here I would like to share some of the steps that you can use to secure the host from unauthorized access over SSH. Till now I haven't get a chance to know it can be break, but if you can break it please do share with me. I always believe human is always become the first line of defence.

In this arcticle I would like to share how you can secure the access for SSH and also allow vmware management to certain IP address using iptables.

Securing SSH using public key authentication.
By the default configuration, root is not allow for any direct connection using SSH and it does allow password authentication. What we want to enhanced here will be change the type to public key authentication and remove the password authentication. If you will like, you can call this 2 factor authentication and it is a combination from the below

Type 1 : You know
Type 2 : You have
Type 3 : You are 

Step by steps
You will need to download putty key generator from www.putty.org, as per screen click on the generate button and start moving your mouse as below




Key in the passphrase key, as on diagram below. Save the public key and also the private key

Remark: You must remember the passphrase key
 
Summary as per on diagram 3

Command                              Usage

Service sshd status                 checking the sshd daemon status

Adduser user2                        create a user with the name user2

Passwd user2                         change password for user2

Su – user2                             login as user2



Remark : create a folder .ssh into /home/user2 and change the permission by typing chmod 700 .ssh

Cd to the directory .ssh and create a file name as authorized_keys by typing this command to create.

Command                            Usage
Touch authorized_keys          to create a file name as authrorized_keys



Copy the content from the diagram 2 into the authorized_keys and make sure the content is 1 line



Configuring your ssh client to use public key authentication
Open the SSH client and key in the inform as below

The next screen, you will need to configure your client to use public key authentication.
 
VMware Vsphere 4.1 Console Lockdown
Next step it is a must to to making sure , the public key authentication work.!!!. You will need to login as normal user and su to root. You will need to modify the files at /etc/ssh/sshd_config. Always remember to perform a backup before changing any files. For newbie, I would like to suggest you to use nano command.:)


Configuration on the sshd configuration

  • Protocol 2
  • Permitrootlogin no
  • Publickeyauthenticattion yes
  • Authorizedkeys .ssh/authorized_keys
  • Passwordauthentication no
  • Permitemptypassword no
 If everything works as what it suppose to be, when you try to SSH to the host with the normal SSH client, you will see the client disappear. 

The last step will be configure firewall rules. You will need to do the following
1) login to the host
2) Create a new files and copy paste the entire content on the list as below
3) chmod 700 ./firewall.sh
4) ./firewall - to execute the configuration


#Explanation On Iptables entry

#Flush all firewall configuration

iptables –F

#All input is accepted

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#All output is accepted

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Enable ICMP

iptables -A INPUT -p icmp -j ACCEPT

#Enable ICMP

iptables -A OUTPUT -p icmp -j ACCEPT

#Enable port 22 from any

iptables -A INPUT -p tcp -m tcp  --dport 22 -j ACCEPT

#Enable port 902 (Vmware esx console to be access by your computer IP)

iptables -A INPUT -p tcp --dport 902 -s 10.215.x.x -j ACCEPT

#Enable port 443 (Vmware esx console web to be access by your computer IP)

iptables -A INPUT -p tcp --dport 443 -s 10.215.x.x -j ACCEPT

#Enable loopback connection, this is needed for the vmware infrastructure client

iptables -A INPUT -s 127.0.0.1 -j ACCEPT

#Drop all input port

iptables -A INPUT -j DROP

#Drop all forward port

iptables -A FORWARD -j DROP

#save Configuration

service iptables save

#Stop iptables service

service iptables stop

#Start iptables service

service iptables start



What we have now?
Let me explain to you the risk and measure that we have base on scenario.

Case Study
1)What happen if you internal hacker try to hack your vmware machine?
Answer : The host have been configured not to allow direct root access, so the changes is 0%.


2)What happen if you internal hacker can copy our your public key?
Answer : The hacker still need to guess your password of your public key.Even though he can get it, but he must have the root password before he can proceed with further damage.


3)What happen if the hacker know the IP address of your vmware host?
Answer : Although he know, but he must guess which are the IP address that are allow to connect to the vmware host. Let said in the smaller environment you have 100 ip's. Chances are 1%.





No comments:

Post a Comment