Changing the IP on your ESX 3.x

Wednesday, August 19, 2009 by BBTUNA

If you want to change the IP address of the service console in ESX 3.x you can using a command in the service console and if you are like me and know that console is most powerful thing to know about ESX then read on.

To change the IP address of the ESX 3.x host, you need to change the configuration of the vswif. By default this is vswif0 and this is assumed in this document. Login to the service console with root permissions, either by using root or doing a su - to get the permissions.

Once in the service console runt the command "esxcfg-vswif -d vswif0". This command deletes the existing vswif0. Don't worry if you get a message about nothing to flush. Then you need to run the command to change the ip address, subnet mask and broadcast address. They are also specified in that order when the command is given. An example command is below.

"esxcfg-vswif -a vswif0 -p Service\ Console -i 10.1.1.1 -n 255.255.255.0 -b 10.1.1.255"

In this command the -a switch is to add a vswif, the \ in the Service\ Console is deliberate, the -i is the ip address, the -n is the netmask and the -b is the broadcast address.

You now need to change your default gateway, you can do this by editing the network file located at /etc/sysconfig/network. To do this at the command prompt, follow the steps below.

"cd /etc/sysconfig"
"nano network"
Then while in the nano editor, go to the location of the default gateway using the arrow keys.
Change the default gateway to your liking.
Hit Ctrl+X and Y to save

At this point you can run some commands to restart the vmware management, but I prefer to restart the server and will recommend you do that. Note that after you do change the main IP to your box you will have to change URL startup screen:

/etc/hosts
/etc/sysconfig/network
/usr/lib/vmware-mui/apache/conf/httpd.conf
When editing the hosts file, include the fully qualified domain name (FQDN).
Example: ip.address.of.server host.domain.com host
Note the order of the terms in the example above. If the FQDN and the alias are reversed, the remote console parameters will use the alias only.

In the httpd.conf file change the ServerName configuration setting to reflect the new FQDN.
Example: ServerName host.domain.com

After editing the files listed above, run the "hostname" command with the new FQDN to have the name change to take effect without a reboot.

Posted in | 0 Comments »

Securing VMware ESX

Tuesday, August 11, 2009 by BBTUNA
VMWare implementations can be done incorrectly if you just do your typical next > next > next .... reboot, very few people take the time to secure their VMware ESX infrastructure and that is when I recomend to them to get started a great little pice of freeware called Configcheck from Tripwire. The only thing missing in it is report generation in a PDF or HTML format but other than that if you have a VMWare ESX 3.x infrastructre use this great tool to give it a quick check. So for all you out there implementing ESX environments remember to lock down your system.
Posted in | 0 Comments »

How to set VMWare ESX Switch Security

by BBTUNA
One of the things I like about VMWare ESX is the security in their Layer 2 Virtual Swicthes. They will not permit them be joined together so loops is not an issue and they let you apply 3 policy settings to secure the vSwitches this are:
This settings will prevent the virtual machines that use the switch from acting as a sniffer, changing their mac address or forging traffic with fake mac address thous protecting the rest of the virtual machines in the case of a compromise of a VM from it being used to conduct Man In the Middle Attacks, ARP Poison Attacks or being used to sniff traffic. To set the Policy on Reject on a virtual switch it can be done both from the Service Console or thru the VI Client. On the VI Client:

  1. Log into the VMware VI Client and select the server from the inventory panel.The hardware configuration page for this server appears.
  2. Click the Configuration tab, and click Networking.
  3. Click Properties for the vSwitch whose Layer 2 Security policy you want to edit.
  4. In the Properties dialog box for the vSwitch, click the Ports tab.
  5. Select the vSwitch item and click Edit.
  6. In the Properties dialog box for the vSwitch, click the Security tab.
  7. Select reject on the drpdown boxes for all 3 Policy Exceptions.
  8. Click OK
From the CLI just SSH into the Server and su to have root privilege and run

  • vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-macchange=false
  • vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-forgedxmit=false
Promiscuous is already set to reject by default.
Posted in | 0 Comments »
Subscribe to: Posts (Atom)

About Me

BBTUNA
View my complete profile