Home > Uncategorized > Enabling / Disabling SSH on an ESX host and limiting access to only my current IP

Enabling / Disabling SSH on an ESX host and limiting access to only my current IP

Enabling / Disabling SSH on ESXi – and limiting access to current IP only.


function Set-SshOnVmHost
{
Param(
[String]
$VMHostName,
[ValidateSet('On','Off')]
[String]
$Status
)

write-host "Configuring SSH on host: $($vmHost.Name) to $Status" -fore Yellow
if((Get-VMHostService -VMHost $vmhostname | where {$_.Key -eq "TSM-SSH"}).Policy -ne "$Status"){
Write-Host "Setting SSH service policy to automatic $status $($vmHost.Name)"
Get-VMHostService -VMHost $vmhostname | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "$Status" -Confirm:$false -ea 1 | Out-null
}

$vmhost = get-vmhost $vmhostname

$esxcli = Get-EsxCli -VMHost $vmhost
if($Status -eq 'On'){
if((Get-VMHostService -VMHost $vmhost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
Write-Host "Starting SSH service on $($vmHost.Name)"
Start-VMHostService -confirm:$false  -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
$ip = (Get-WmiObject -class win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').ipaddress[0]
if($esxcli -ne $null){
if($ip.count -ne 1){
$ip = read-host "Please provide the IP address that should be to access this host via SSH"
}
try{
test-ipaddress $ip
if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
Write-Host "Changing the sshServer firewall configuration"
$esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -notmatch "$ip"){
$esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
}
$esxcli.network.firewall.refresh()
}
}
catch {
throw "Unable to configure IP restirctions on Firewall when enabling SSH $_"
}
}
}
}
else{
if((Get-VMHostService -VMHost $vmhost | where {$_.Key -eq "TSM-SSH"}).Running -ne $false){
Write-Host "Stopping SSH service on $($vmHost.Name)"
Stop-VMHostService -confirm:$false -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
write-host "Set Firewall rule too allow all IPs for SSH, but disable the service"
if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -ne "All"){
Write-Host "Changing the sshServer firewall configuration"
$esxcli.network.firewall.ruleset.set($true, $true, "sshServer")
$esxcli.network.firewall.refresh()
}
}
}

# End Comment
if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
Write-Host "Suppress the SSH warning message"
$vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
}
}
Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.