As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key file permissions on these appliances.

About this task

All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow file contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as appropriate for your organization.

Procedure

  1. Open the /etc/hosts.allow file on your virtual appliance host machine in a text editor.
  2. Change the generic entry in your production environment to include only the local host entries and the management network subnet for secure operations.
    sshd:127.0.0.1 : ALLOW
    sshd: [::1] : ALLOW
    sshd: 10.0.0.0 :ALLOW

    In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet are allowed.

  3. Add all appropriate machine identification, for example, host name, IP address, fully qualified domain name (FQDN), and loopback.
  4. Save the file and close it.