Another very basic question.
XSI Backup pro is installed on our main EsXi and the 3 others EsXi are linked to the main one. Remote backup are working, no issue there.
Can I now deactivate secure SHELL and its port on all my EsXi without breaking that configuration? Will the main EsXi still be able to connect to the remote EsXi? (I don't think so).
But I also don't think that it's best practice to let SSH access to all our EsXi (even if you change the default port number).
What do you recommend?
Thank you for your time and assistance.
Last edited by lfkl (2019-03-18 03:34:05)
You can't block your SSH port, that's the communication protocol between XSIBackup servers.
Use your firewall to limit access based on IP. Changing the default SSH port will keep you safe from most warms that just scan standard ports to break through using delayed brute force attacks mainly.
Configuring the sshd_config (/etc/ssh/sshd_config) file to disable password authentication will close the main entrance door. XSIBackup uses a key pair to authenticate, which is far more secure.
In regards to directly focused attacks (if you suspect you may be the target of one of them). Use a firewall to drop packets comming from unknown networks and use a rate limiting chain to limit the rate of eventual attacks. You can detect the offending networks and even close down the SSH service temporarily if you suspect they may be spoofing some valid IP of yours.
Thank you for your detailed answer.
A workaround solution could be to install XSI backup pro on all other EsXi as we do not have so many but I'm not sure we're entitled to do it in terms of license rights with only one license purchase ?
Of course, that also means as many XSI version updates as EsXi which is fast but still time consuming.
Yes, XSIBACKUP-PRO license is per crontab, up to 20 hosts from one crontab.
This is regular systems administration of SSH service. Many services work over SSH nowadays and securing this protocol is part of every day system admin's tasks.