As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key file permissions on these appliances.
All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow file contains a generic entry,
sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as appropriate for your organization.
- Open the /etc/hosts.allow file on your virtual appliance host machine in a text editor.
- Change the generic entry in your production environment to include only the local host entries and the management network subnet for secure operations.
sshd:127.0.0.1 : ALLOW sshd: [::1] : ALLOW sshd: 10.0.0.0 :ALLOW
In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet are allowed.
- Add all appropriate machine identification, for example, host name, IP address, fully qualified domain name (FQDN), and loopback.
- Save the file and close it.