You edit the /etc/ssh/sshd_config file on all the hosts to disallow compression and disable port forwarding for the SSH daemon. You also enable secure boot and disable the OpenSLP service.
You perform the procedure from an SSH session connected to the ESXi host and on all the ESXi hosts in the management domain.
- Log in to an ESXi host by using a Secure Shell (SSH) client with the
- Open the VI editor to add or edit the settings in /etc/ssh/sshd_config.
NIST80053-VI-ESXi-CFG-00012In the VI editor, add or correct the following line to disallow compression for the ESXi host SSH daemon.
NIST80053-VI-ESXi-CFG-01111Add or correct the following line to disable port forwarding for the ESXi host SSH daemon.
- Save and close the VI editor.
- Restart the SSH service to apply the new configurations.
NIST80053-VI-ESXi-CFG-01108Enable secure boot on the host.
# /usr/lib/vmware/secureboot/bin/secureBoot.py -cNote:
If the imaging appliance (VIA) is used to image the ESXi hosts it currently does not support UEFI which is a requirement for enabling secure boot. ESXi installations done through other methods are supported and can enable UEFI/secure boot.
If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again.
NIST80053-VI-ESXi-CFG-01112Disable the OpenSLP service on the host.
# /etc/init.d/slpd stop # esxcli network firewall ruleset set -r CIMSLP -e 0 # chkconfig slpd off
- Perform the procedure on the remaining hosts in the management domain.