VMware Cloud Community
Kartoffelsalaat
Contributor
Contributor

root is always locked

Hey,

im completly new to ESXI, I took over the structure from the admin before me but he didnt teach me anything about ESXI.

Now I've got a big problem, the root user is always getting locked when I try to open it via IP in the browser

I need to go down to our Server, where I can login with the root user, whats kind of strange that its working there and restart a service there, then I got a timeframe from round about 1 minute where I can login in the browser, then its blocked again.

I checked veeam, even completly uninstalled it, so no old credential is being used. In PRTG there is nothing too and we're not using any other software for surveillance or backup. 

Anybody knows what I can check to solve this problem?

0 Kudos
7 Replies
fabio1975
Commander
Commander

Ciao 

Try this 

  1. At the console press CTRL+ALT+F2 to get to the ESXi shell. If a login shows up continue with step 3, otherwise continue with step 2.
  2. Login to the DCUI (to enable the ESXi Shell if not already done)
  3. Login with root and the correct password.
  4. Go to Troubleshooting Options
  5. Select Enable ESXi Shell
  6. Press CTRL+ALT+F1
  7. At the ESXi shell login with root and the password
  8. Run the following commands to show number of failed attempts:

 

pam_tally2 --user root

Run the following command to unlock the root account:

pam_tally2 --user root --reset
Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

0 Kudos
Kartoffelsalaat
Contributor
Contributor

Thanks for that.

but the root account always getting locked, there is an login attempt every 5 seconds from an unknown ressource.

2 Minutes ago it was ~3650 login failed attempts, can I somehow pinpoint from where it is coming?

0 Kudos
fabio1975
Commander
Commander

Ciao 

From console try this command 

grep failure /var/log/auth.log

you should see in the output the IP from which the connections fail, for example:

2021-03-11T13:05:47Z sshd[73984196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.100.23 user=root
2021-03-11T13:05:49Z sshd[73984194]: error: PAM: Authentication failure for root from 172.16.100.23

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

0 Kudos
Kartoffelsalaat
Contributor
Contributor

Thanks again for that.

I checked now several times but the login attempts are not shown in the log, they're seriously unknown.

And I cant even connect via putty, only local in front of the server...

 

7:55 was the last manual login attempt but 08:37 an automatic from unknown.

0 Kudos
fabio1975
Commander
Commander

Ciao

in the meantime, we could create an alternative administrative account to access via SSH or via WEB
from the console launch the following commands (the password must be complex)

esxcli system account add -d="description" -i="<username>" -p="<password>" -c="<password>"
esxcli system permission set -i="<username>" -r="Admin"


after that with this new user, you should be able to log in.
Once you have accessed the GUI we can disable the root user lock so that it never locks again or do some further checks.

Is the ESXi host connected to a vCenter?

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

0 Kudos
Kartoffelsalaat
Contributor
Contributor

Hey,

 

when I try to use this command, it always tells me, that "A specified parameter was not correct id"

tried several usernames after -i"<username>" but it wont let me crate one.

I restarted the management serives again, and now im at least logged in on my PC and dont need to go to the server room.

Deactivated the 15 minute AFK Timer too, so no auto logout.

And we dont have a vCenter.

0 Kudos
fabio1975
Commander
Commander

Ciao 

this is the command that I use to create an account Fabio with password password1!

esxcli system account add -d="description" -i="fabio" -p="password1!" -c="password1!"

anyway .....

let's try to see from which IP any traffic to the ESXi management interface comes from
we identify the interface (normally vmk0) with this command (the affected vmk is the one with the IP of the ESXi host):

esxcli network ip interface list

fabio1975_0-1631277986532.png

 

and then we run the dump command:

 

tcpdump-uw -i vmk0

and we will see all connections with source IP:

fabio1975_1-1631278173756.png

 

 

and let's see if there are any connections from IP with applications that try to log in to the ESXi host or to strange IPs

 

 

 

 

 

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

0 Kudos