As part of your system hardening process, restrict Secure Shell (SSH) access by configuring the tcp_wrappers package appropriately on all VMware virtual appliance host machines. Also maintain required SSH key file permissions on these appliances.

All VMware virtual appliances include the tcp_wrappers package to allow tcp-supported daemons to control the network subnets that can access the libwrapped daemons. By default, the /etc/hosts.allow file contains a generic entry, sshd: ALL : ALLOW, that allows all access to the secure shell. Restrict this access as appropriate for your organization.

1

Open the /etc/hosts.allow file on your virtual appliance host machine in a text editor.

2

Change the generic entry in your production environment to include only the local host entries and the management network subnet for secure operations.

sshd:127.0.0.1 : ALLOW
sshd: [::1] : ALLOW
sshd: 10.0.0.0 :ALLOW

In this example, all local host connections and connections that the clients make on the 10.0.0.0 subnet are allowed.

3

Add all appropriate machine identification, for example, host name, IP address, fully qualified domain name (FQDN), and loopback.

4

Save the file and close it.