ESX Password Lockout Policies

[gbugbear at gmail.com (Tim Mugherini)]

Thanks for the great info and script Carlos

Any recommendations on account lockout and preventing a DDOS in the form of?


thanks again

tim

On Mon, Sep 21, 2009 at 1:52 PM, Carlos Perez <carlos_perez at darkoperator.com
> wrote:

> This is a small script that forms part of my build process, in addition to
> this I tend to set the tcpwarapers to only allow the Virtual Center to talk
> to the ESX and I try to keep the management network in a different isolated
> VLAN, if using ESXi I like to use PVLANS to restrict access to them, for
> both scenarios I change the certificates to self signed ones if no PKI inf
> available, mark for certificate verification and thru GPO set the self
> signed CA cert to the management machines, in the case of an isolated VLAN I
> set NTP Servers on the Switches for the inf, in addition a Win2k8 TS Gateway
> with a Win2k8 TS server are set for access to the management Network and
> rules are set for certificates also on this plus only SNMP or Syslog traffic
> can go out for monitoring, if using VUM a rule is set so that only vCenter
> goes out and communicates strictly with a set a of DNS servers and
> the outbound web proxy server. The windows firewall is also enabled on the
> vCenter machine to block access other that RDP, 443, 8083 and 902.
> Cheers,
> Carlos
>
>
> On Mon, Sep 21, 2009 at 10:11 AM, Ben Greenfield <bcg at struxural.com>wrote:
>
> > Another major disadvantage that I see is that I believe doing this
> > requires enabled 'unsupported' mode in ESX.  How do you weigh the
> > security benefit of account lockouts against the issue of potentially
> > voiding your support contract with vmware?  I see issues like this
> > more and more with the newer (i series) ESX releases.  They are only
> > going to become more common as well.  Another example is running
> > Nessus scans (or any compliance scans) with credentials against
> > vmware.  I don't think that the new releases come with SSH enabled by
> > default, and enabling SSH requires jumping into that unsupported mode.
> >  Without SSH, you can do a credentialed compliance scan (for patches,
> > configuration, etc).  Maybe someone know's a different way to enable
> > SSH that I'm not aware of as well.
> >
> > I'd be very interested to know people's thoughts about this.
> >
> > On Fri, Sep 18, 2009 at 12:22 PM, Tim Mugherini <gbugbear at gmail.com>
> > wrote:
> > > After chatting with Carlos and Mick about VMWare & ESX account lockout
> > > policies (or lack thereof) during the pre show last night, I thought I
> > would
> > > start an email string here. Carlos had mentioned something last night
> > about
> > > integration with AD policies. A while back someone had popped this into
> > the
> > > IRC channel (Carlos I think it was you actually).
> > http://blog.securitywhole.com/2009/09/01/brute-force-esx-usernamepassword.aspx
> > > So some sysadmins here came up with the following for the ESX console
> > > (warning have not tested yet).
> > >
> > > ------------------
> > >
> > > To configure the ESX service console to disable the account after three
> > > unsuccessful login attempts, add the
> > > following lines to /etc/pam.d/system-auth:
> > >
> > > auth required /lib/security/pam_tally.so no_magic_root
> > > account required /lib/security/pam_tally.so deny=3
> > > no_magic_root
> > >
> > > To create the file for logging failed login attempts, execute the
> > following
> > > commands:
> > >
> > > touch /var/log/faillog
> > > chown root:root /var/log/faillog
> > > chmod 600 /var/log/faillog
> > >
> > > -------------------
> > >
> > > Of course a major disadvantage here would be DDOS by locking our any
> > built
> > > in accounts so a more robust solution would be desired.
> > >
> > > Thoughts? Might make an interesting blog post ;)
> > >
> > > Thanks
> > >
> > > Tim
> > >
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090922/41efaba9/attachment.htm