Remote access for ESXi local user account 'root' has been locked for ### seconds after #### failed login attempts

Products

VMware Cloud Foundation VMware vSphere ESXi

Issue/Introduction

^{The ESXi host's root account is repeatedly locked due to excessive login attempts. Analysis of the vobd log indicates that an external source is spamming the host with root login requests.}

^{/var/log/vobd.log}

^{[vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after ### failed login attempts.}

^{To determine the IP(s) the failed log-ins are generated from check the following logs. /var/log/auth.log}

^{Connection from X.X.X.X port 55682}

^{pam_tally2(sshd:auth): user root (0) tally 34, deny 5}

^{error: PAM: Authentication failure for root from X.X.X.X}

^{pam_tally2(sshd:auth): user root (0) tally 35, deny 5}

^{pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=root}

^{error: PAM: Authentication failure for root from X.X.X.X}

^{error: Received disconnect from X.X.X.X port 55682:3: com.jcraft.jsch.JSchException: Auth cancel [preauth] Disconnected from authenticating user root X.X.X.X port 55682 [preauth]] /var/log/hostd.log}

^{error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_do_authenticate: error [login:root][error code:2]}

^{error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_sm_authenticate: failed [error code:2]}

^{warning hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] Rejected password for user root from X.X.X.X}

^{info hostd[9313269] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=4e5164ae] Event 9328698 : Cannot login [email protected]}

Environment

^{VMware vSphere ESXi 5.x}

^{VMware vSphere ESXi 6.x}

^{VMware vSphere ESXi 7.x}

^{VMware vSphere ESXi 8.x}

Cause

^{Following a root password update across all ESXi hosts, monitoring servers are still configured with the outdated root password.}

Resolution

^{Identify the service or device sending authentication requests to the ESXi host based on the IP address from the logs and verify it is using the correct login credentials. If the service or device is no longer needed, disable its authentication requests.}

Additional Information

^{ESXi Account Lockout Behavior
Account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.

Configuring Login Behavior
You can configure the login behavior for your ESXi host with the following advanced options:
Security.AccountLockFailures. Maximum number of failed login attempts before a user's account is locked. Zero disables account locking.
Security.AccountUnlockTime. Number of seconds that a user is locked out.
Security.PasswordHistory. Number of passwords to remember for each user. Zero disables password history.

Reference: ESXi Passwords and Account Lockout}