VxRail: vSphere web Client is displaying this message from time to time: "Remote access for ESXi local user account 'root' has been locked for 900 seconds after 200 failed login attempts."
Article ID: 326765
Updated On:
Products
VMware Cloud Foundation
VMware vSAN
Issue/Introduction
Awareness of this issue being caused in relation to: Dell OME monitoring servers. However it can happen with other monitoring tools as well.
Symptoms:
The root account for an ESXi host keeps getting locked out. After review of the vobd log on the host, it is apparent that something is spamming the host with root login attempts.
/var/log/vobd.log
yyyy-mm-dd [GenericCorrelator] 317118131511us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317118131511us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317118131703us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.
yyyy-mm-dd [GenericCorrelator] 317120761360us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317120761360us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317120761531us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.
yyyy-mm-dd [GenericCorrelator] 317122141644us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 197 failed login attempts.
------
To determine the IP(s) the failed log-ins are generated from check the following logs.
/var/log/auth.log
yyyy-mm-dd sshd[701694298]: Connection from X.X.X.X port 55682
yyyy-mm-dd sshd[701333862]: pam_tally2(sshd:auth): user root (0) tally 34, deny 5
yyyy-mm-dd sshd[701694298]: error: PAM: Authentication failure for root from X.X.X.X
yyyy-mm-dd sshd[701694492]: pam_tally2(sshd:auth): user root (0) tally 35, deny 5
yyyy-mm-dd sshd[701694492]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=root
yyyy-mm-dd sshd[701694298]: error: PAM: Authentication failure for root from X.X.X.X
yyyy-mm-dd sshd[701694298]: error: Received disconnect from X.X.X.X port 55682:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
yyyy-mm-dd sshd[701694298]: Disconnected from authenticating user root X.X.X.X port 55682 [preauth]]
/var/log/hostd.log
yyyy-mm-dd error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_do_authenticate: error [login:root][error code:2]
yyyy-mm-dd error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_sm_authenticate: failed [error code:2]
yyyy-mm-dd warning hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] Rejected password for user root from X.X.X.X
yyyy-mm-dd info hostd[9313269] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=4e5164ae] Event 9328698 : Cannot login [email protected]
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Symptoms:
The root account for an ESXi host keeps getting locked out. After review of the vobd log on the host, it is apparent that something is spamming the host with root login attempts.
/var/log/vobd.log
yyyy-mm-dd [GenericCorrelator] 317118131511us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317118131511us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317118131703us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.
yyyy-mm-dd [GenericCorrelator] 317120761360us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317120761360us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.
yyyy-mm-dd [UserLevelCorrelator] 317120761531us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.
yyyy-mm-dd [GenericCorrelator] 317122141644us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 197 failed login attempts.
------
To determine the IP(s) the failed log-ins are generated from check the following logs.
/var/log/auth.log
yyyy-mm-dd sshd[701694298]: Connection from X.X.X.X port 55682
yyyy-mm-dd sshd[701333862]: pam_tally2(sshd:auth): user root (0) tally 34, deny 5
yyyy-mm-dd sshd[701694298]: error: PAM: Authentication failure for root from X.X.X.X
yyyy-mm-dd sshd[701694492]: pam_tally2(sshd:auth): user root (0) tally 35, deny 5
yyyy-mm-dd sshd[701694492]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=root
yyyy-mm-dd sshd[701694298]: error: PAM: Authentication failure for root from X.X.X.X
yyyy-mm-dd sshd[701694298]: error: Received disconnect from X.X.X.X port 55682:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]
yyyy-mm-dd sshd[701694298]: Disconnected from authenticating user root X.X.X.X port 55682 [preauth]]
/var/log/hostd.log
yyyy-mm-dd error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_do_authenticate: error [login:root][error code:2]
yyyy-mm-dd error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_sm_authenticate: failed [error code:2]
yyyy-mm-dd warning hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] Rejected password for user root from X.X.X.X
yyyy-mm-dd info hostd[9313269] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=4e5164ae] Event 9328698 : Cannot login [email protected]
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vSphere ESXi
Cause
Dell OME monitoring servers have the old root password following a root password change on all ESXi hosts.
Resolution
Determine the service/device sending the authentication requests and confirm it's using the correct credentials for login. If it's no longer needed, stop the service/device from making the authentication requests.
If you need assistance with this open a case with Dell VxRail team to assist with finding the source of the authentication requests.
If you need assistance with this open a case with Dell VxRail team to assist with finding the source of the authentication requests.
Additional Information
Impact/Risks:
The root account is constantly being locked out.
The root account is constantly being locked out.
Feedback
Yes
No
Powered by
