thoughtpolice home » vmware » howto » VMware Security Tips

ThoughtPolice VMware Images

VMware Security Tips

Surprisingly, most people overlook basic security principles when dealing with virtual machines. This short article hopes to readdress and draw attention to these points.

Your SSH server is no more secure than telnet

Problem: Whenever you clone a virtual machine, or download a virtual machine, you also clone the private SSH key for that virtual machine. Once you have the private key, you can decrypt or hijack the traffic being sent over your "secure" connection. Not good.

Solution: You need to re-generate your private SSH keys when you clone a VM:

# Example given for Fedora:
rm -i /etc/ssh/*key* # permanently delete your existing private keys
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa1 # re-gen the rsa1 key
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa # re-gen the dsa key

Remember that you will receive a "key changed" warning the next time you ssh to your server.

Someone from outside your company has plugged a computer into your network

Problem: A virtual machine is still a computer. You wouldn't let just anybody plug their computer into your network, you must still remember to perform a security analysis before powering it on.

Solution: For an untrusted VM, make sure:

1. Networking - can the VM snoop on networked traffic? Is it on a segmented part of the network? Do you need to allow networking at all?
2. Passwords - are you using the same password for something important? If the VM was sending passwords back, would it matter?
3. Are you connecting to anything important while you use the machine? Are you SSHing to a machine with less-segmented network access? Shares? Mounts?

Comments? Feedback? e-mail me