How-to change default SSH port on ESXi 5 and make it persistent after reboots.
If you want to keep SSH to your ESXi hosts, but want to change the default SSH port (22) to non default port, there is a way to do it. For example you don't wan to have SSH on 22 but on 2222.
How to do it? What's the requirements?
01. You'll have to create an XML file which needs to be placed on persistent storage or VMFS volume. (/vmfs/volumes/).
02. Copy the xml file there. The volume can laid on shared storage so it'll be accessible by all your hosts. In my case /vmfs/volumes/freenas/ssh
The content of the xml file has to be like this:
<ConfigRoot>
<service>
<id>SSH 2222</id>
<rule id = ‘0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>2222</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
03. Add these lines to the /etc/rc.local file:
cp location of xml file /etc/vmware/firewall
esxcli network firewall refresh
Where location of xml file is the location that the file was copied to in step 2.
Like this the new firewall configuration will be actively loaded and every time the host restarts it loads the custom firewall configuration.
04. Copy /etc/services to the storage (same location as the firewall rules are stored for example – my case).
05. Edit the services file and change and change the port number for SSH.
06. Edit /etc/rc.local so the created files are copied back to host at boot time. Here is an example, those lines would be added at the end of the file:
#Copy the new firewall rule from vmfs place holder to file system
cp /vmfs/volumes/freenas/etc/ssh2222.xml /etc/vmware/firewall/
#refresh firewall rules
esxcli network firewall refresh
#Copy the modified services file from vmfs place holder to file system
cp /vmfs/volumes/freenas/ssh/services /etc/services
#Restart inetd to get the changes
kill -HUP `cat /var/run/inetd.pid`
You'll have to reboot the host to validate the changes and test if everyting works.
Sources:
VMware KB User defined xml firewall configurations are not persistent across ESXi host reboots
VMware KB Changing the port used by SSH on an ESXi 5.0 host
Dear Vlatan ,
Thank you for your post. let me fix ( maybe add) one thing.
when you connect to your esxi with ssh you can’t edit /etc/services because it’s readonly.
so you can change your startup script with this
#Copy the new firewall rule from vmfs place holder to file system
cp /vmfs/volumes/freenas/etc/ssh2222.xml /etc/vmware/firewall/
#refresh firewall rules
esxcli network firewall refresh
#Copy the modified services file from vmfs place holder to file system
#if we don’t delete /etc/services file it will stay same.. it’s ridiculous but true..but if we delete it #then it works.
rm -rf /etc/services
cp /vmfs/volumes/freenas/ssh/services /etc/services
#Restart inetd to get the changes
kill -HUP `cat /var/run/inetd.pid`
Thanks
Oh, this is an old post. I don’t even know if it still applicable for ESXi 6.5. Thanks for your commend, thought.