ESXi/vCenter hardening (inventory service issue)

We had a Pen Test done recently on a couple of vBlocks that we need some security accreditation against. (See how I’m being vague there for security reasons 😉

One of the items that came up was a weak cipher on port 10109 of the vCenter server.

Zut Alors!  That sounds serious, well it might be.

Not seeing a way to update the service which was opening this port (vCenter Inventory Service) I did what we would all do, which was search for the KB article.  Impressively there was an article referring to my exact issue, nice!

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2063001&SRC=vmw_so_vex_cneal_850

Well it was until I read it.  The advice was to “disable the firewall rule preventing access to this port”.

This is actually back to front.  As I found in Windows Firewall there is actually an allow rule for

“vCenter Inventory Service – Service Management Port”

So what is required is actually that port to be disabled.  Simply change the Windows Firewall Rule.

  1. Right click the rule called “vCenter Inventory Service – Service Management Port”
  2. On the general tab under action change “Allow the connection” to “Block the connection”
  3. Test you can no longer telnet to port 10109 remotely

This was confirmed after logging a call with VMWare (the KB article does state that the port is used for debugging and is used by any external agent.

Hopefully the KB will be updated soon

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s