VMware Cloud Community
AndrewAdvnetsol
Contributor
Contributor
‎09-21-2020 04:18 PM

Root Account Lockout

I keep having my root account locked out.  It is not unlocking after the 900 second time out limit.  I thought it was an issue with my backup software.  I use Veeam Backup and Replication, but I use that for a lot of different client that I support and I am not having this issue anywhere else.  According to the Auth.log the issue seems to be cause by one server, which is an AD, but from random ports.  I have attached the Auth.log.

I am able to unlock the root account and everything works for a shot time then the issue is back.

Tags (2)
auth.log.zip
0 Kudos
5 Replies
jburen
Expert
Expert
‎09-22-2020 11:35 PM

If you think it is caused by one server maybe there is a scheduled task on that server that is trying do to something on your host.

Consider giving Kudos if you think my response helped you in any way.
0 Kudos
NathanosBlightc
Commander
Commander
‎09-23-2020 08:08 AM

If you really suspect to your backup software, change the corresponding credential of the ESXi that you were set on the VEEAM backup management console

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos
AndrewAdvnetsol
Contributor
Contributor
‎09-23-2020 08:23 AM

That has already been done.  Veeam wouldn't work if I didn't have the correct ESXi credentials to access the host entered.

0 Kudos
nachogonzalez
Commander
Commander
‎09-23-2020 01:07 PM

Hey, hope you are safe and sound.


Your auth.log is filled with these entries:

2020-06-18T22:23:42Z sshd[3567787]: Bad protocol version identification ' ' from 192.168.0.24 port 52657

2020-06-18T23:38:44Z sshd[3568564]: /etc/ssh/sshd_config line 7: Deprecated option UsePrivilegeSeparation

2020-06-18T23:38:44Z sshd[3568564]: /etc/ssh/sshd_config line 15: Unsupported option PrintLastLog

2020-06-18T23:38:44Z sshd[3568564]: Connection from 192.168.0.24 port 65307

What is running in this server 192.168.0.24?

Maybe a monitoring server or something like that?

Blog Nachogonzalez.com.ar Twitter @nachogon_
0 Kudos
NathanosBlightc
Commander
Commander
‎09-23-2020 03:04 PM

Also you can use tcpdump-uw or pktcap-uw to capture all traffic inside a pcap file and then, check it carefully inside the Wireshark (or another similar tools) via sorting IP address of incoming packets. Maybe you find an unexpected network stream ...

Please mark my comment as the Correct Answer if this solution resolved your problem
0 Kudos