Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The root account for an ESXi host keeps getting locked out. After review of the vobd log on the host, it is apparant that something is spamming the host with root login attempts./var/log/vobd.log2018-05-08T11:19:47.471Z: [GenericCorrelator] 317118131511us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.2018-05-08T11:19:47.471Z: [UserLevelCorrelator] 317118131511us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.2018-05-08T11:19:47.471Z: [UserLevelCorrelator] 317118131703us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 195 failed login attempts.2018-05-08T11:19:50.101Z: [GenericCorrelator] 317120761360us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.2018-05-08T11:19:50.101Z: [UserLevelCorrelator] 317120761360us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.2018-05-08T11:19:50.101Z: [UserLevelCorrelator] 317120761531us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 196 failed login attempts.2018-05-08T11:19:51.481Z: [GenericCorrelator] 317122141644us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after 197 failed login attempts.------To determine the IP(s) the failed log-ins are generated from check the following logs./var/log/auth.log2020-04-03T17:29:06Z sshd[701694298]: Connection from 192.xxx.xxx.40 port 556822020-04-03T17:29:06Z sshd[701333862]: pam_tally2(sshd:auth): user root (0) tally 34, deny 52020-04-03T17:29:08Z sshd[701694298]: error: PAM: Authentication failure for root from 192.xxx.xxx.402020-04-03T17:29:08Z sshd[701694492]: pam_tally2(sshd:auth): user root (0) tally 35, deny 52020-04-03T17:29:08Z sshd[701694492]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.xxx.xxx.40 user=root2020-04-03T17:29:10Z sshd[701694298]: error: PAM: Authentication failure for root from 192.168.100.402020-04-03T17:29:10Z sshd[701694298]: error: Received disconnect from 192.xxx.xxx.40 port 55682:3: com.jcraft.jsch.JSchException: Auth cancel [preauth]2020-04-03T17:29:10Z sshd[701694298]: Disconnected from authenticating user root 192.xxx.xxx.40 port 55682 [preauth]/var/log/hostd.log2023-10-25T03:56:55.713Z error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_do_authenticate: error [login:root][error code:2]2023-10-25T03:56:55.713Z error hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] [module:pam_lsass]pam_sm_authenticate: failed [error code:2]2023-10-25T03:56:55.715Z warning hostd[9313269] [Originator@6876 sub=Default opID=4e5164ae] Rejected password for user root from 172.xx.x.52023-10-25T03:56:55.715Z info hostd[9313269] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=4e5164ae] Event 9328698 : Cannot login root@172.xx.x.5Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Awareness of this issue being caused in relation to: Dell OME monitoring servers
Dell OME monitoring servers have the old root password following a root password change on all ESXi hosts.
The root account is constantly being locked out.
Determine the service/device sending the authentication requests and confirm it's using the correct credentials for login. If no longer needed stop the service/device from making the authentication requests.If you need assistance with this open a case with Dell VxRail team to assist with finding the source of the authentication requests.