An automated hardening script for the VMware vCenter Server Appliance (VCSA) designed to enforce Zero Trust network segmentation and deep forensic auditing.
This tool is engineered to mitigate critical risks associated with advanced persistent threats (APTs) and destructive campaigns targeting virtualization infrastructure. By enforcing strict Layer 3/4 micro-segmentation and forensic command logging, it neutralizes common attack vectors such as lateral movement, Command and Control (C2) beaconing, and anti-forensic tampering. This prevents adversaries from leveraging the VCSA as a staging ground to compromise underlying ESXi hypervisors or execute widespread infrastructure sabotage.
READ BEFORE EXECUTION: This tool modifies the VCSA iptables configuration at the OS kernel level, bypassing the standard VAMI interface.
- Supportability: These changes deviate from the default state and may impact your VMware support agreement.
- Lockout Risk: Incorrect configuration WILL result in immediate network isolation. You must have Physical/Console access (ESXi/iDRAC) to recover if you misconfigure the IP allow-lists.
- Backups: Ensure a file-level backup or snapshot exists before running this script.
The VCSA Hardening & Logging Tool moves the security posture of a vCenter server from a "Default Permit" model to a "Default Deny" (Zero Trust) model. It utilizes native Linux controls to create a hardened management plane without requiring external hardware firewalls.
It is designed for high-security environments where the vCenter appliance is considered a Tier-0 asset.
- Layer 3/4 Micro-Segmentation: Drops all inbound connections to Management ports (SSH/22, Web/443, VAMI/5480) unless explicitly whitelisted.
- Forensic Command Auditing: Patches the root shell profile to log every specific
bashcommand typed by administrators to Syslog (e.g.,cmd="rm -rf /"). - Anti-Lateral Movement: Prevents the VCSA from communicating with non-essential internal networks (stopping "pivot" attacks).
- Outbound Control: Options to block Internet access or enforce strict outbound whitelisting to prevent data exfiltration.
- Rate Limiting: Intelligent brute-force protection that bans IPs attempting >6 connections per minute.
Do not proceed until the following are confirmed:
- Console Access: You have confirmed access to the VCSA via the ESXi Web Console (the "Break Glass" method).
- Syslog Configured: Remote Syslog must be configured in VAMI (Port 5480). This script bridges internal firewall logs to your existing VAMI Syslog configuration.
- IP Inventory: You have the specific IP addresses for:
- Admin Workstations / Jump Hosts (PAW)
- The ESXi Management Subnet
- Backup Servers (Veeam, NetWorker, Commvault)
- Core Services (DNS, NTP, AD)
Open vcsa-hardening.sh in a text editor. You must modify the START CONFIGURATION block.
Edit the arrays to define who is allowed IN.
# WHO CAN SSH IN (Port 22)
TRUSTED_SSH_IPS=( "192.168.10.50" ) # Admin PAW only
# WHO CAN ACCESS WEB UI / API (Port 443)
# Must include: Admins, ESXi Hosts, and Backup Servers
TRUSTED_WEB_IPS=(
"192.168.10.50" # Admin PAW
"10.20.0.0/24" # ESXi Management Subnet
"10.50.1.100" # Veeam Server
)Controls whether the firewall tracks connection frequency to stop brute force attacks.
ENABLE_RATE_LIMITING=true(Default): Blocks IPs attempting >6 connections/minute.ENABLE_RATE_LIMITING=false: Disable this if using "noisy" automated backup tools (e.g., NetWorker) that open many parallel streams.
Select ONE of the following postures by toggling the boolean variables.
| Mode | Configuration | Description |
|---|---|---|
| Standard Hardening | Both false |
(Default) Strict inbound whitelist. Outbound traffic is allowed. Best for general use. |
| Internet Blocking | BLOCK_INTERNET_ACCESS=true |
(Recommended) Allows internal traffic (RFC1918) but blocks all public Internet access. |
| Zero Trust | ENABLE_ZERO_TRUST_MODE=true |
(Strictest) Drops ALL inbound/outbound traffic not explicitly listed. Requires perfect configuration of ADDITIONAL_PRIVATE_RANGES. |
scp vcsa-hardening.sh root@<VCSA_IP>:/root/
ssh root@<VCSA_IP>
chmod +x vcsa-hardening.shAlways run this first. It simulates the logic without applying changes.
./vcsa-hardening.sh --dry-run./vcsa-hardening.shThe script will perform a safety check to ensure your current SSH IP is in the trusted list before applying rules.
Once applied, the script bridges logs to the standard VMware Syslog stream.
Execute a command and ensure it appears in the logs with the SHELL_COMMAND tag.
# 1. Run a test command
echo "test_audit_logging"
# 2. Check logs (Correct tag is SHELL_COMMAND)
journalctl -f | grep SHELL_COMMANDOutput example: vcsa-01 logger: CMD user=root host=vcsa pwd=/root pid=1234 exit=0 cmd="echo test_audit_logging"
Attempt to SSH from an un-trusted IP (e.g., a mobile hotspot) and check the logs:
journalctl -f | grep BLOCKEDOutput example: kernel: SSH_BLOCKED_NEW: IN=eth0 OUT= MAC=... SRC=1.2.3.4 ...
If you lock yourself out via SSH, follow these steps to restore the VCSA to default:
- Log into the ESXi Host Web Client or iDRAC.
- Open the Web Console for the VCSA VM.
- Log in as
root. - Type
shellto enter Bash. - Run the rollback script or manual commands:
# Manual rollback
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
rm /etc/systemd/scripts/ip4savePlease open an issue, or submit a PR, if you have problems, ideas, or feedback.
Copyright 2026 Google LLC
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
