VMware Cloud Community
nassaucounty
Contributor
Contributor

"Remote access for ESXi local user account 'root' has been locked for 120 seconds after 362 failed login attempts." Warning occurs every hour.

Not sure why this is happening. Where can I track down what is causing this?  Where can I see the IP of the host trying to login?

Thanks in advance for any help.

5 Replies
rcporto
Leadership
Leadership

Check the file /var/log/auth.log

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto
Reply
0 Kudos
nassaucounty
Contributor
Contributor

Thanks, I looked there and all I see is my ssh sessions. Normally ssh is turned off so it's not coming from some device trying to ssh.  I changed the subject of my question to include the number of login attempts which is always in the 360 or so range.  The only thing I can think of is some network discovery going on but without an IP or some other information it's difficult to track down.

Reply
0 Kudos
kleinemeise
Contributor
Contributor

i have the same problem. Can somebody help us? I only want to know, how the source ip is.

Reply
0 Kudos
shane1973
Enthusiast
Enthusiast

What does it say in your vSphere client when you're logged in and have your vCenter highlighted in the left pane and you look at 'events' on the Tasks and Events tab?  It should show those things.

Reply
0 Kudos
shane1973
Enthusiast
Enthusiast

screenshot attached

Reply
0 Kudos