ESXi hosted on public IP without firewall

security hosting firewall vmware-esxi

So I've got an interesting problem.

I currently rent a couple of servers from Hetzner (a German hosting provider). Each server has a soft firewall and does something like web hosting / database.

I would like to rent a beefier server and setup a hypervisor like ESXi on it with a vSwitch connected to physical NIC and a pfSense VM, and another vSwitch from the pfSense VM to other VMs. Unfortunately, Hetzner does not appear to provide a hardware firewall in between the public interface and your server (leaving soft firewall as the only option).

What are the security implications of running ESXi (v5.5) out in public like that? Quick research suggested this thread on spiceworks which sums it up as disabling SSH/Console (telnet?) access and setting up proper SSL cert and a very complex unguessable username/password pair. With the obvious implication of single-entry attack point.


Solution 1:

You can limit the IP addresses permitted through the ESXi firewall.

http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vcli.examples.doc_50%2Fcli_manage_networks.11.11.html

That is really all you need to harden it. Locking your management down to specific IP addresses is very secure. Naturally follow the other best practices re passwords etc as well.

Just make sure to look at the firewall completely and lock down everything to your management IPs.

Non Static IP Alternative

Lock all ports down to 127.0.0.1 as given above except for SSH. Lock SSH down to private/public key authentication only and disable ChallengeResponseAuthentication and PasswordAuthentication. This is very secure.

Use your favourite SSH client connect to the server with a command line such as:

ssh my.vmhost.rackhoster -L80:localhost:80 -L443:localhost:443 -L903:localhost:903

Then leave the SSH session running and point your browser to https://localhost/ and it will automatically forward port 443 through to the ESXi host. Change the ports if you are already using port 443 on your local machine (ie, -L8443:localhost:443 instead -> https://localhost:8443/). Same for port 80. Port 903 is for the console.

If you ever loose your private key you're pretty screwed this way so back it up! :-)

For ultra security ensure your private key is encrypted with a good passphrase. Don't forget it!

Solution 2:

Use the ESXi builtin firewall to close down unneeded ports and limit access to the open ones to a range of known IP addresses.

This might be challenging if you do not use a fixed external IP address at home (like most people), so you may end up restricting access to the addresses of some other servers that you have on the Internet.

Related

Find all snapshots created by ami where ami is deleted
Haproxy 1.5.3 / OpenSSL - Creating PEM
Office 365 - what is in the "Sensitive Word List" for spam filtering?
Transition away from Domain Admin only account
Redirect traffic based on url to different ip address maintaining port and url information [duplicate]
How to execute a command for each file in a deep directory structure, recursively?
IP address is not allowed to send mail from DOMAIN
Unable to install .NET Framework 4.6 on Windows Server 2012 R2 Core
Is docker suitable to be used for long running containers?
Is it possible to ask ReFS to use hardware RAID6 for parity calculations?
Get-ADGroupMember $Group fails when $Group contains principals from other domains
Security implications of using relative paths in the PATH enivronmental variable?