Showing posts with label SNMPv3. Show all posts
Showing posts with label SNMPv3. Show all posts

Saturday, March 2, 2019

VMware ESXI SNMPv3 CLI Configuration - Fast Guide

 Hello everybody, because of importance of ESXi host monitoring in virtual environment (or SDDC) management, today i want to demonstrate a fast guide for ESXi SNMP version3 configuration by ESXCLI. (Remember it will be done only by CLI not GUI) SNMP protocol v1 & v2 are not secured, because they do not support encryption and work only with a clear-text community string, while it's a security compromise to never use them anyway. I had given a promise in this post on security recommendation series to write a specific post about how to configure SNMPv3 on ESXi, so let me begin and don't waste the time anymore:


# esxcli system snmp get                        "Show the current ESXi SNMP config"
# esxcli system snmp set -r                     "Reset to default setting"
# esxcli system snmp set -e 1                 "Enable SNMP"
# esxcli system snmp set -a SHA1           "Select SHA1 Protocol"
# esxcli system snmp set -x AES128       "Select AES128 Encryption"
# esxcli system snmp set -E  Eng_ID       "Set System Engine ID"
# esxcli system snmp hash -A Auth_str  -X Priv_Str  -r 

It will generate intended hash strings, then select & copy both of them to use in the next command:
# esxcli system snmp set -R Mon_User/SHA1/hash1/AES128/hash2/Eng_ID

Also you can change some default settings, such as port and log level:
# esxcli system snmp set -p 161                            "Set SNMP Port"
# esxcli system snmp set -l warning                       "Define Log Level"

And some optional settings are included of: 
# esxcli system snmp set -C Asset_Manager           "Set Contact Information"
# esxcli system snmp set -L  Node_Location           "Set Asset Location Info"
 








Now let's check its configuration once more again:

# esxcli system snmp get

So last setting is something like this picture.
I hope it will be helpful guide for you guys, for more information please refer to VMware Links about SNMP Configuration:

at No comments:
Labels: , , , , ,

Thursday, December 27, 2018

Security Recommendation and Hardening on Virtual Environments - Chapter One

 Today I want to start a series of discussions about some security tips and prospective best practices. I will start with some simple steps on ESXi configuration as the main asset between vCenter objects. At each post there is 4 or 5 security recommendation titles about VMware security hardening and are absolutely consistent with VMware published checklists:

1. ‌Built-in firewall rules:
As one of the first steps for ESXi hardening you can start from a limitation of permitted connections "To / From" the host and restricting unused transmit or blocking suspected traffics. So you may need to revision firewall rules and control what is permitted and what is not? or are their usage permanent or temporary for a specific time duration? Check your list again and for example, if you always want to have permanently SSH access to your hosts, limit allowed IP addresses to only your management system IP address.

2. Using SNMP version 3:
Because of the security nature of SNMP protocol on version3 in comparison with older versions 1 & 2 (based on the support of encryption, authentication & hashing algorithms), it's strongly recommended to use SNMPv3. Old versions are using only a community string for SNMP communication that is clear-text data and certainly is a security breach. So for monitoring ESXi hosts, it's better to configure only SNMPv3 settings by "esxcli system snmp set --v3targets ... (I will explain how to do it in another post)

3. VIB Verification:
VIB or vSphere Installation Bundle is a package file (like a ZIP) contains some installation files related to the ESXi. As the Kyle said there are 3 main parts of VIBs: Archive (Payload), XML (Descriptor) and a Signature file for trust level verification and you can configure it to each of 4 below-mentioned acceptance level depends on your system management policies:
I.   Partner: VIB creating and testing will be done by a partner and there is no VMware verification.
II.  VMware Certified: All processes will be done by VMware itself.
III. VMware Accepted: Testing will be done by partners but result verification relies on VMware. 
IV. Community: All processes executed outside of the VMware partner program and are not supported.
It's a good suggestion to don't trust to all community VIB packages

4. NTP configuration:
Time, Time and Time ... This is so important to remember to set it before doing every other configuration on your hosts. It's recommended to set at least one NTP server outside of your virtual infrastructure (like a router) for all of the hosts. ( I described it before on this post how to do it by CLI)

5. Versions of TLS:
It's always a real problem, Which version of TLS we should use on our managed hosts? and what version must be disabled? It's strongly recommended to use only TLS 1.2 but somehow maybe some of the associated management products to the ESXi host can only communicate with an older version. So before disable versions of 1.0 or 1.1, check this matter out.

I think it will be my last post in 2018, so I hope to have a great and perfect year in 2019. 
Happy New Year guys :)


at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)

I will start a new journey soon ...