Security Audit – Set ssh timeouts

Security auditors will consider ssh access a vulnerability. This can be mitigated by setting timeout values and linking the starting of the service to a vCenter user

When a ssh session is needed the service will have to be started from the vCenter or DCUI. (In the case of DCUI access, either physical controls to the data centre or remote system board will be the origin of the audit trail.)

There are two variables to set UserVars.ESXiShellTimeOut and UserVars.ESXiShellInteractiveTimeOut

These can be seen in vCenter Inventory ->  host -> Configuration tab -> Software -> Advanced Settings.
In the left panel, select UserVars

Values are in seconds, ie: 900 = 15 mins

 

Configure UserVars.ESXiShellTimeOut

This is the amount of time that can elapse before you must log in after the ssh is enabled. After the timeout period, the service is disabled and users are not allowed to log in, open sessions will persist, however after the user logs out or session is terminated, users are not allowed to log in as the ssh service has stopped.

 

Configure the setting for all esxi servers in a cluster through the following PowerCLI command

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 1800

Validate

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellTimeOut | ft -autosize

 

UserVars.ESXiShellInteractiveTimeOut

The idle timeout is the amount of time that can elapse before the user is logged out of an idle interactive Sessions

Configure the setting for all esxi servers in a cluster through the following PowerCLI command

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 1800

Validate

Get-AdvancedSetting -Entity (Get-cluster <cluster> | Get-VMhost) -Name UserVars.ESXiShellInteractiveTimeOut | ft -autosize

 

How easy is that… imagine doing it by hand… save yourself a lot of clicking

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.