To protect the ESXi hosts against unauthorized intrusion and misuse, consider the following options for improving infrastructure security:

• Limit user access: This is done by restricting user access to the management interface and enforcing access security policies such as setting up password restrictions. Lockdown mode could be used to limit access to the hosts to all users. Otherwise, a centralized authentication could be useful to manage security groups and related roles (for example, with AD).
• Limit shell access: ESXi Shell (locally, but also through ESXi SSH access) has several privileged accesses to certain parts of the host. Therefore, they provide only trusted users with ESXi Shell login access. Usually, it is safe to keep both ESXi Shell and SSH access disabled to prevent direct access to the ESXi CLI. In this case, you can still use esxcli remotely or another remote CLI.
• Limit services: You can run ESXi essential services only. Some hardware vendors have specific agents that can run on ESXi hosts, but check their support and security level before running any third-party agents or services on ESXi hosts.
• Limit network connections: ESXi has a personal firewall (starting from ESXi 5.0) and, by default, is closed on most ports. When you enable a service, it also opens the right ports. Although you can manually open ports with the predefined firewall rules, and you can also build new custom ESXi firewall rules, it would be better to try to keep the ESXi firewall rules management entirely automatic. The personal firewall does not protect you from Denial-of-Service (DoS) attacks, so still keep your ESXi VMkernel interfaces on protected networks and still use perimeter firewalls.
• Use secure connections: By default, weak ciphers are disabled, and SSL secures all communication from clients. The exact algorithms used for securing the channel depend on the SSL handshake. VMware vSphere 6.0 introduces a certification authority to help in certification management. Starting with vSphere 6.5, the Transport Layer Security (TLS) protocol versions 1.0, 1.1, and 1.2 are enabled by default.
• Patch your hosts: Use only VMware sources to upgrade or patch ESXi hosts. VMware does not support upgrading these packages from any source other than a VMware source.

• Check VMware Security Center: VMware monitors all security alerts that could affect ESXi security and, if necessary, issues a security patch. If you regularly check the VMware Security Center site, you can find any alerts that might impact the environment.

You can check the official guide, General ESXi Security Recommendations, at https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-B39474AF-6778-499A-B8AB-E973BE6D4899.html.