Every once in a while I hit a topic that I just can’t find any information on. This happens to be one of those topics. If you want to change the SSH Port on ESXi 5.x, no problem, VMWare provides you with Knowledgebase article on that. And someone made it a little clearer in a blog post. But no where could I find any procedure that worked for ESXi 6.0, so here I am writing this article, as after 5 hours of messing around and not being able to login, having to reset the server setting each time, I feel the need to share my finding with everyone, hoping that it will easy the burden on those looking to find answers.
The steps in this article are much like those given for ESXi 5.x, however there were some changes made to ESXi 6.0 that make the other tutorial obsolete.
Step 1:
We need to copy 2 files to persistent storage. We are not going to create new ones, simply copy previous ones as we will be overwriting the originals every boot. Now I use the term copy loosely, because if you actually copy the files, you won’t be able to modify them as it copies over the read-only permissions. So we will cat them instead.
Switch into the Volumes directory, as we need to find a volume to cat our files to
1 |
cd /vmfs/volumes |
Now you will need to list the volumes so we can choose one
1 |
ls |
You will see a bunch of entries that look like this 570479cf-dfb956ef-edbf-934ce1239048 as well as some other names files, in my case there was datastore1 through datastore4. I chose datastore1.
1 |
cd /vmfs/volume/datastore1 |
You will not at this point that the directory changed to its alpha numerical equivalent as datastore1 is simply a symlink. so you will see that you are in a directory that looks like this:
1 |
/vmfs/volume/570479cf-dfb956ef-edbf-934ce1239048 |
Take note as you will need to copy the full actual path into a file later, as the datastore1 path will NOT work.
Once you are in this directory we can cat the two files we need to modify:
1 2 |
cat /etc/vmware/firewall/services.xml > ./service.xml cat /etc/services > ./services |
Step 2:
Open you the service.xml file we just made in the datastore using your favourite editor, I usually use vim (vi for short) but you can use Nano as well. Make sure you are in the actual datastore directory from step 1.
1 |
vi service.xml |
You will see a bunch of entries, the first one should have a na id of sshServer
1 |
<id>sshServer</id> |
In this section you will see a <port></port> tag which has the port number 22 specified, change this to your desired port
1 |
<port>2222</port> |
save the file. This changes the firewall rules so that port 2222 is used instead of 22.
Step 3:
Now we will need to edit the services file, this file dictated what services attach to which ports.
1 |
vi services |
Scroll down till you see the entries for ssh on port 22 and change them to port 2222
1 2 |
ssh 2222/tcp # SSH Remote Login Protocol ssh 2222/udp # SSH Remote Login Protocol |
Save the file.
Step 4:
As we now have our files modified to have the right ports associated with ssh we need to make sure the server uses our modified files and not the files it uses by default. To do this we need to edit the /etc/rc.local.d/local.sh file, which is used to execute command during boot up:
1 |
vi /etc/rc.local.d/local.sh |
If this is the first time editing this file, it should be empty save for a few commented out lines stating not to use this file unless you know what you are doing, and a “end 0” line at the very bottom. You will put the following code between the comments and the “end 0” line:
1 2 3 4 |
/sbin/cp path to service.xml file /etc/vmware/firewall/service.xml /sbin/esxcli network firewall refresh /sbin/cp path to services file /etc/services /sbin/kill -HUP `cat /var/run/inetd.pid` |
1 2 3 4 |
/sbin/cp /vmfs/volumes/570479cf-dfb956ef-edbf-934ce1239048/service.xml /etc/vmware/firewall/service.xml /sbin/esxcli network firewall refresh /sbin/cp /vmfs/volumes/570479cf-dfb956ef-edbf-934ce1239048/services /etc/services /sbin/kill -HUP `cat /var/run/inetd.pid` |
The second line refreshed the firewall, activating the new rules
The third line overwrites the services file which tells the system which ports to bind to the services
The fourth line restarts the network services.
Step 5:
Reboot. Once the server comes back online, you will be able to access ssh on port 2222 instead of 22.
hello. on my esxi V6.x-servers there is “services.xml” = “service.xml” without the ending “s”.
greetings
byPARSE
Major heart attack.. r.c.local script above is wrong.
it needs to be service.xml not serives.xml
Locked me out of SSH access
Fortunately I managed to rename the files in datastore1 using the vSphere client datastore browser. Reboot and that got it back to SSH on 22.
But it worked in the end – Thanks
It works for 6.0, not for 6.5!
Appreciate your great work to save other’s time.
Anybody test in 6.5!
above steps not working 6.5
In 6.5 you just need to change the permissions of the files first. You can do that with :
/bin/chmod a+wt /etc/services /etc/services /etc/vmware/firewall/service.xml
I prefer not to depend on files mounted on another volume, so this is the way i contain everything within the /etc/rc.local.d/local.sh file:
/bin/chmod a+wt /etc/services
/bin/sed -i ‘s|22/tcp|2222/tcp|g’ /etc/services
/bin/sed -i ‘s|22/udp|2222/udp|g’ /etc/services
/bin/chmod a+wt /etc/vmware/firewall/service.xml
/bin/sed -i “s|22|2222|g” /etc/vmware/firewall/service.xml
/bin/sed -i “s||TCPALLOUToutboundtcpdst160000truefalse|g” /etc/vmware/firewall/service.xml
/bin/chmod 444 /etc/services /etc/vmware/firewall/service.xml
/bin/esxcli network firewall refresh
/bin/kill -HUP
cat /var/run/inetd.pid
OOps. The last sed had xml tags that became garbled. Not sure how to fix it.
Sadly by default this site does not allow any kind of coding to be put in comments security risk), sadly that includes XML tags.
Hello,
Tested in ESXi6.7, just modify 2222 port with your new port number, here an example from my /etc/rc.local.d/local.sh file:
——————————————————–
[root@esxi:~] cat /etc/rc.local.d/local.sh
#!/bin/sh
# local configuration options
# Note: modify at your own risk! If you do/use anything in this
# script that is not part of a stable API (relying on files to be in
# specific places, specific tools, specific output, etc) there is a
# possibility you will end up with a broken system after patching or
# upgrading. Changes are not supported unless under direction of
# VMware support.
# Note: This script will not be run when UEFI secure boot is enabled.
/bin/chmod a+wt /etc/services /etc/vmware/firewall/service.xml
/bin/sed -i ‘s|22/tcp|2222/tcp|g’ /etc/services
/bin/sed -i ‘s|22/udp|2222/udp|g’ /etc/services
/bin/sed -i ‘s|22|2222|g’ /etc/vmware/firewall/service.xml
/bin/chmod 444 /etc/services /etc/vmware/firewall/service.xml
/sbin/esxcli network firewall refresh
/sbin/kill -HUP
cat /var/run/inetd.pid
/etc/init.d/SSH restart
exit 0
——————————————————–
Hope this helps!
In case some one still reading this , solution is correct but syntax is wrong
#!/bin/sh
# local configuration options
# Note: modify at your own risk! If you do/use anything in this
# script that is not part of a stable API (relying on files to be in
# specific places, specific tools, specific output, etc) there is a
# possibility you will end up with a broken system after patching or
# upgrading. Changes are not supported unless under direction of
# VMware support.
# Note: This script will not be run when UEFI secure boot is enabled.
/bin/chmod a+wt /etc/services /etc/vmware/firewall/service.xml
/bin/sed -i ‘s/22\/tcp/7268\/tcp/g’ /etc/services
/bin/sed -i ‘s/22\/udp/7268\/udp/g’ /etc/services
/bin/sed -i s/22/7268/g /etc/vmware/firewall/service.xml
/bin/chmod 444 /etc/services /etc/vmware/firewall/service.xml
/sbin/esxcli network firewall refresh
/sbin/kill -HUP
cat /var/run/inetd.pid
# this is not comma ,back tick/etc/init.d/SSH restart
exit 0
# Long Live Open Source Community
/bin/chmod a+wt /etc/services /etc/vmware/firewall/service.xml
sed -i ’45i\ssh 2222/tcp # SSH Remote Login Protocol’ /etc/services
sed -i ’45i\ssh 2222/udp # SSH Remote Login Protocol’ /etc/services
sed -d ’47’
sed -d ’47’
sed -i “s|22|2222|g” /etc/vmware/firewall/service.xml
/bin/chmod 444 /etc/services /etc/vmware/firewall/service.xml
/sbin/esxcli network firewall refresh
/etc/init.d/SSH restart
fucking 8hr