VMware Live Recovery Appliance 9.x

The appliance accounts are being locked out by the pam_faillock (Pluggable Authentication Modules) module due to repeated failed authentication attempts from external sources.

The log messages are revealing a high-frequency of failed SSH attempts from internal infrastructure IPs (e.g., security scanners, inventory tools, or misconfigured Security Information and Event Management systems (SIEMs):

When these external devices attempt to "probe" the appliance using incorrect or "default" credentials (like remotessh), the appliance triggers a security lockout policy to protect against brute-force attacks.

/var/log/messages: 

2026-02-11T06:05:24.081295+00:00 VLR-Appliance sshd[767310]: Failed password for admin from 10.#.#.# port 47502 ssh2
2026-02-11T06:05:24.081056+00:00 VLR-Appliance sshd[767310]: Failed password for admin from 10.#.#.# port 47502 ssh2
2026-02-11T06:05:48.940038+00:00 VLR-Appliance sshd[767464]: Failed password for admin from 10.#.#.# port 59154 ssh2
2026-02-11T06:05:48.939805+00:00 VLR-Appliance sshd[767464]: Failed password for admin from 10.#.#.# port 59154 ssh2

2026-02-11T06:04:39.769660+00:00 VLR-Appliance sshd[767066]: Failed password for root from 10.#.#.# port 56754 ssh2
2026-02-11T06:04:39.769412+00:00 VLR-Appliance sshd[767066]: Failed password for root from 10.#.#.# port 56754 ssh2
2026-02-11T06:04:50.420948+00:00 VLR-Appliance sshd[767123]: Failed password for root from 10.#.#.# port 50344 ssh2
2026-02-11T06:04:50.420712+00:00 VLR-Appliance sshd[767123]: Failed password for root from 10.#.#.# port 50344 ssh2

2026-02-11T09:04:03.489534+00:00 VLR-Appliance sshd[823400]: error: Received disconnect from 10.#.#.# port 56738:3: com.jcraft.jsch.JSchException: Auth fail for methods 'publickey,password,keyboard-interactive' [preauth]
2026-02-11T09:04:03.489645+00:00 VLR-Appliance sshd[823400]: Disconnected from authenticating user admin 10.#.#.# port 56738 [preauth]
2026-02-11T09:04:03.529688+00:00 VLR-Appliance sshd[823451]: error: kex_exchange_identification: Connection closed by remote host
2026-02-11T09:04:03.529762+00:00 VLR-Appliance sshd[823451]: Connection closed by 10.#.#.# port 48485
2026-02-11T09:04:03.592313+00:00 VLR-Appliance sshd[823452]: Invalid user remotessh from 10.#.#.# port 56754
2026-02-11T09:04:03.601348+00:00 VLR-Appliance sshd[823452]: pam_faillock(sshd:auth): User unknown: remotessh
2026-02-11T09:04:03.601469+00:00 VLR-Appliance sshd[823452]: pam_unix(sshd:auth): check pass; user unknown
2026-02-11T09:04:03.601497+00:00 VLR-Appliance sshd[823452]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.#.#.#
2026-02-11T09:04:03.601522+00:00 VLR-Appliance sshd[823452]: pam_faillock(sshd:auth): User unknown: remotessh
2026-02-11T09:04:03.489261+00:00 VLR-Appliance sshd[823400]: error: Received disconnect from 10.#.#.# port 56738:3: com.jcraft.jsch.JSchException: Auth fail for methods 'publickey,password,keyboard-interactive' [preauth]
2026-02-11T09:04:03.489631+00:00 VLR-Appliance sshd[823400]: Disconnected from authenticating user admin 10.#.#.# port 56738 [preauth]

To resolve this issue, you must identify and cancel the source of the failed login attempts:

1. Identify the Source: Review the /var/log/messages file to find the specific IP address(es) generating the Failed password or Invalid user entries.

2. Investigate the Infrastructure: Check the identified IP addresses against your network inventory. Common culprits include:

A. Security/Vulnerability scanners 

B. Network discovery or inventory tools.

C. Centralized logging/SIEM agents with misconfigured credentials.

3. Remediate: Exclude the VLR Appliance IP from active credentialed scans.

A. Update any stored credentials on the scanning device to match the current appliance settings.

B. Disable SSH probing for these specific VMs if it's not required for monitoring.