blog.kylemcmaster.com

I’ve been using the Cisco 877 Integrated Services router for a few months now and have recently come across a strange quirk that may catch a few people out.

I host a few websites on a virtual machine within my internal network, now to make these sites viewable to the world I need to direct any traffic on port 80 heading to my external static IP address to the internal virtual web server. To do this I added a static NAT rule to the running configuration of the router.

Router(config)# ip nat inside source static tcp xxx.xxx.xxx.xxx 80 interface Dialer1 80

What I didn’t realise was that from the internal network you cannot open a connection to the port you have just forwarded using the above rule. This caused me  to scratch my head, it wasn’t until I telnet’d to the external IP on port 80 from the Cisco router that I realised the static NAT rule was actually working.

So lesson learnt today, don’t assume that Cisco router port forwarding will work in the same way as your conventional home DSL router.

I just wanted to write this quick blog post as a reminder to myself and to possibly help anyone who reads this.

A colleague of mine had a problem recently with a locked file in ESX 3.5 Update 2. Basically one of the datastores which contained a couple of virtual machines (with snapshots) had ran out of disk space.  After freeing some space and deleting some snapshots one of the virtual machines refused to power on and vCenter reported a locked file error. Now  if your from a Unix or Linux background you instantly think of the command ‘ps’ to return running processes, particuarly ‘ps -ef’ to return all processes with full formatting. In this situation this wasn’t particularly helpful, as with ‘ps -ef’ the output does not wrap on screen causing the cmd text for long processes to be missing.

So when looking for all running processes related to virtual machines, one of the following commands should be used:

ps -auxwww

or

ps -ef | fold

Conversely if you know the name of the vmx file for the virtual machine you are interested in, you can combine ‘ps -ef’ or ‘ps -auxwww’ with the ‘grep’ command to return only the lines you require. For example:

ps -ef | grep -i xxx.vmx

Note: when combining ‘ps -ef’ with ‘grep’ you don’t need the ‘fold’ command as the output is automatically wrapped.

As you are probably fully aware VMware have published the final release of their vSphere Security Hardening guide here.  Now having been actively involved in a project which involves the use of virtualisation in a PCI DSS controlled environment, I have had the pleasure of reading this guide back to front, and I must say VMware have produced a good document. I really like the format, the layout and I think it works well for a security hardening guide.

The problem I do have is with some of the content, I get the feeling the document has been rushed through somewhat, with little testing for some of the recommendations. So here is a heads up for anyone intending on using this document, hopefully I can stop you from falling into some of the pitfalls I did.

Note: When implementing some of these recommendations I did as much testing as possible and made sure I understood the full impact before making any changes to a production environment. Like any good virtualisation admin I would recommend as a bare minimum you do the same.

Disabling the Managed Object Browser

This recommendation involves editing the Proxy.xml file in the /etc/vmware/hostd directory. VMware state that to disable the Managed Object browser one should remove or comment out all lines relating to the mob element. Using vi to remove these lines proved unsuccessful for me, resulting in the ESX host being unable to communicate with the vCenter Server. Only on restoring the Proxy.xml file from backup was vCenter server connectivity restored.

It seems the only way to successfully disable MOB is to use XML comment tags and comment the lines out rather than deleting them.  An example of the changes to the Proxy.xml file can be seen below:

Pre:

Post:

More coming soon in part two.