PaulDotCom mailing list archives
ESX Password Lockout Policies
From: gbugbear at gmail.com (Tim Mugherini)
Date: Tue, 22 Sep 2009 10:00:36 -0400
Thanks for the great info and script Carlos Any recommendations on account lockout and preventing a DDOS in the form of? thanks again tim On Mon, Sep 21, 2009 at 1:52 PM, Carlos Perez <carlos_perez at darkoperator.com
wrote:
This is a small script that forms part of my build process, in addition to this I tend to set the tcpwarapers to only allow the Virtual Center to talk to the ESX and I try to keep the management network in a different isolated VLAN, if using ESXi I like to use PVLANS to restrict access to them, for both scenarios I change the certificates to self signed ones if no PKI inf available, mark for certificate verification and thru GPO set the self signed CA cert to the management machines, in the case of an isolated VLAN I set NTP Servers on the Switches for the inf, in addition a Win2k8 TS Gateway with a Win2k8 TS server are set for access to the management Network and rules are set for certificates also on this plus only SNMP or Syslog traffic can go out for monitoring, if using VUM a rule is set so that only vCenter goes out and communicates strictly with a set a of DNS servers and the outbound web proxy server. The windows firewall is also enabled on the vCenter machine to block access other that RDP, 443, 8083 and 902. Cheers, Carlos On Mon, Sep 21, 2009 at 10:11 AM, Ben Greenfield <bcg at struxural.com>wrote:Another major disadvantage that I see is that I believe doing this requires enabled 'unsupported' mode in ESX. How do you weigh the security benefit of account lockouts against the issue of potentially voiding your support contract with vmware? I see issues like this more and more with the newer (i series) ESX releases. They are only going to become more common as well. Another example is running Nessus scans (or any compliance scans) with credentials against vmware. I don't think that the new releases come with SSH enabled by default, and enabling SSH requires jumping into that unsupported mode. Without SSH, you can do a credentialed compliance scan (for patches, configuration, etc). Maybe someone know's a different way to enable SSH that I'm not aware of as well. I'd be very interested to know people's thoughts about this. On Fri, Sep 18, 2009 at 12:22 PM, Tim Mugherini <gbugbear at gmail.com> wrote:After chatting with Carlos and Mick about VMWare & ESX account lockout policies (or lack thereof) during the pre show last night, I thought Iwouldstart an email string here. Carlos had mentioned something last nightaboutintegration with AD policies. A while back someone had popped this intotheIRC channel (Carlos I think it was you actually).http://blog.securitywhole.com/2009/09/01/brute-force-esx-usernamepassword.aspxSo some sysadmins here came up with the following for the ESX console (warning have not tested yet). ------------------ To configure the ESX service console to disable the account after three unsuccessful login attempts, add the following lines to /etc/pam.d/system-auth: auth required /lib/security/pam_tally.so no_magic_root account required /lib/security/pam_tally.so deny=3 no_magic_root To create the file for logging failed login attempts, execute thefollowingcommands: touch /var/log/faillog chown root:root /var/log/faillog chmod 600 /var/log/faillog ------------------- Of course a major disadvantage here would be DDOS by locking our anybuiltin accounts so a more robust solution would be desired. Thoughts? Might make an interesting blog post ;) Thanks Tim _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090922/41efaba9/attachment.htm
Current thread:
- ESX Password Lockout Policies Tim Mugherini (Sep 18)
- ESX Password Lockout Policies Ben Greenfield (Sep 21)
- ESX Password Lockout Policies Carlos Perez (Sep 21)
- ESX Password Lockout Policies Tim Mugherini (Sep 22)
- ESX Password Lockout Policies Carlos Perez (Sep 21)
- ESX Password Lockout Policies Ben Greenfield (Sep 21)