1.1.) To check if Lockdown mode is enabled:
[root@vesxi60-1:~] vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
false
1.2.) To disable Lockdown mode:
vim-cmd -U dcui vimsvc/auth/lockdown_mode_exit
1.3.)To enable Lockdown mode:
vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
2.) We have to use the GUI to enable ESXi Strict mode
3.) Configure a user on the Lockdown Mode Exception Users list
3.1.) We can add DCUI users:
[root@vesxi60-1:~] vim-cmd hostsvc/advopt/view DCUI
(vim.option.OptionValue) [
(vim.option.OptionValue) {
key = "DCUI.Access",
value = "root"
}
]
[root@vesxi60-1:~] vim-cmd hostsvc/advopt/update DCUI.Access string root,kb
[root@vesxi60-1:~] vim-cmd hostsvc/advopt/view DCUI
(vim.option.OptionValue) [
(vim.option.OptionValue) {
key = "DCUI.Access",
value = "kb, root"
}
]
4.) Customize SSH settings for increased security
4.1.) Check if the SSH is enabled after reboot:
[root@vesxi60-1] chkconfig --list SSH
SSH on
[root@vesxi60-1:~] esxcfg-advcfg -q -g /UserVars/ESXiShellTimeOut
0
[root@vesxi60-1:~] esxcli system settings advanced list -o /UserVars/ESXiShellTimeOut
Path: /UserVars/ESXiShellTimeOut
Type: integer
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 86400
String Value:
Default String Value:
Valid Characters:
Description: Time before automatically disabling local and remote shell access (in seconds, 0 disables). Takes effect after the services are restarted.
4.3.) Setup SSH timeout to 1 hour
[root@vesxi60-1:~] esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i 3600
[root@vesxi60-1:~] /etc/init.d/SSH restart
SSH login disabled
SSH login enabled
[root@vesxi60-1:~] esxcli system settings advanced list -o /UserVars/ESXiShellTimeOut
Path: /UserVars/ESXiShellTimeOut
Type: integer
Int Value: 3600
Default Int Value: 0
Min Value: 0
Max Value: 86400
String Value:
Default String Value:
Valid Characters:
Description: Time before automatically disabling local and remote shell access (in seconds, 0 disables). Takes effect after the services are restarted.
