Vulnerability Scans of VMWare ESXi hosts

Our VM admin disabled SSH to the VMWare hosts as this is now best practice.
I was wondering how do others in the community go about scanning VMWare hosts?

It was mentioned to me at some point to use port 443,Any help and ideas are appreciated.

1 Like

Hi Andy! We’ve got some info here regarding discovery of VMware hosts. For dynamic discovery, the console can either connect to a vCenter server or connect directly to ESXi hosts. That page also lists the types of connections that are supported.

When it comes to vulnerability scans, you’re right that the scanner needs access to port 443 to get all the necessary info. And in this case, SSH should actually be disabled since it’s not required for vuln scan purposes. If you’re looking to do policy scans for these hosts, then SSH would need to be enabled (something that we want to update but no current timeline for it).

1 Like

Following this. We have some that have 443 opened they discovered we scanned but no creds still have certainty of 90 are they good to go, how do we get them at 100 add creds? I thought i was going crazy by seeing the vul checks in logs without creds. I saw couple of articles that indicated esx stuff is already in Rapid7 Insightvm…so creds are optional? Am i reading that right?

I have to add that we are using port 443 for communication with the ESXi hosts. The discovery is not an issue…that part works. But, only vulnerabilities at the OS (Linux) level are being reported.
So, I am not sure something is missing or if this is by default. Maybe a VMWare experienced engineer/admin can chime in?

+1 for this topic.

Are we missing out on any authenticated vulnerability checks if we are not able to connect via SSH to ESXi host?

I double checked this with the team, and they confirmed that there’s no need to enable SSH or supply creds for vulnerability checks on these types of hosts. The scanner should be able to pull enough information for accurate vulnerability assessments via the SOAP API on port 443.

I’m not 100% sure about this one, but I’ll see if someone else has some info they can share.

1 Like

they confirmed that there’s no need to enable SSH or supply creds for vulnerability checks on these types of hosts. The scanner should be able to pull enough information for accurate vulnerability assessments via the SOAP API on port 443.

Great news! thank you for confirming

1 Like