ESXi root password is getting locked frequently
I found that no machine/agent is used to authenticate ESXi server:
I rebooted ESXi several times.
Same issue.
Earlier the ESXi version was:
VMware ESXi, 6.5.0, 8294253
I even upgraded ESXi to patch but still seeing same issues:
VMware ESXi 6.5.0 build-16576891, Update 3
[root@btp01esx16:/var/log] pam_tally2 --user root
Login Failures Latest failure From
root 250 09/14/20 05:29:57 unknown
[root@btp01esx16:/var/log] pam_tally2 --user root --reset
Login Failures Latest failure From
root 250 09/14/20 05:29:57 unknown
I see following lines are continuosly recorded on /var/log/auth.log
2020-09-13T04:49:32Z sshd[71851]: rekeyed inbound cipher
2020-09-13T05:49:32Z sshd[71851]: rekeyed outbound cipher
2020-09-13T05:49:32Z sshd[71851]: rekeyed inbound cipher
2020-09-13T06:49:33Z sshd[71851]: rekeyed outbound cipher
2020-09-13T06:49:33Z sshd[71851]: rekeyed inbound cipher
2020-09-13T07:49:33Z sshd[71851]: rekeyed outbound cipher
2020-09-13T07:49:34Z sshd[71851]: rekeyed inbound cipher
2020-09-13T08:49:34Z sshd[71851]: rekeyed outbound cipher
2020-09-13T08:49:34Z sshd[71851]: rekeyed inbound cipher
2020-09-13T09:49:35Z sshd[71851]: rekeyed outbound cipher
2020-09-13T09:49:35Z sshd[71851]: rekeyed inbound cipher
2020-09-13T10:49:35Z sshd[71851]: rekeyed outbound cipher
2020-09-13T10:49:36Z sshd[71851]: rekeyed inbound cipher
2020-09-13T11:49:36Z sshd[71851]: rekeyed outbound cipher
2020-09-13T11:49:36Z sshd[71851]: rekeyed inbound cipher
2020-09-13T12:49:37Z sshd[71851]: rekeyed outbound cipher
2020-09-13T12:49:37Z sshd[71851]: rekeyed inbound cipher
2020-09-13T13:49:37Z sshd[71851]: rekeyed outbound cipher
2020-09-13T13:49:38Z sshd[71851]: rekeyed inbound cipher
2020-09-13T14:49:38Z sshd[71851]: rekeyed outbound cipher
2020-09-13T14:49:38Z sshd[71851]: rekeyed inbound cipher
2020-09-13T15:49:39Z sshd[71851]: rekeyed outbound cipher
2020-09-13T15:49:39Z sshd[71851]: rekeyed inbound cipher
2020-09-13T16:49:40Z sshd[71851]: rekeyed outbound cipher
2020-09-13T16:49:40Z sshd[71851]: rekeyed inbound cipher
2020-09-13T17:49:40Z sshd[71851]: rekeyed outbound cipher
2020-09-13T17:49:41Z sshd[71851]: rekeyed inbound cipher
2020-09-13T18:49:41Z sshd[71851]: rekeyed outbound cipher
2020-09-13T18:49:41Z sshd[71851]: rekeyed inbound cipher
2020-09-13T19:49:42Z sshd[71851]: rekeyed outbound cipher
2020-09-13T19:49:42Z sshd[71851]: rekeyed inbound cipher
2020-09-13T20:49:42Z sshd[71851]: rekeyed outbound cipher
2020-09-13T20:49:42Z sshd[71851]: rekeyed inbound cipher
2020-09-13T21:49:43Z sshd[71851]: rekeyed outbound cipher
2020-09-13T21:49:43Z sshd[71851]: rekeyed inbound cipher
2020-09-13T22:49:44Z sshd[71851]: rekeyed outbound cipher
2020-09-13T22:49:44Z sshd[71851]: rekeyed inbound cipher
2020-09-13T23:49:44Z sshd[71851]: rekeyed outbound cipher
2020-09-13T23:49:45Z sshd[71851]: rekeyed inbound cipher
2020-09-14T00:49:45Z sshd[71851]: rekeyed outbound cipher
2020-09-14T00:49:45Z sshd[71851]: rekeyed inbound cipher
2020-09-14T01:49:46Z sshd[71851]: rekeyed outbound cipher
2020-09-14T01:49:46Z sshd[71851]: rekeyed inbound cipher
2020-09-14T02:49:46Z sshd[71851]: rekeyed outbound cipher
2020-09-14T02:49:47Z sshd[71851]: rekeyed inbound cipher
2020-09-14T03:49:47Z sshd[71851]: rekeyed outbound cipher
2020-09-14T03:49:47Z sshd[71851]: rekeyed inbound cipher
2020-09-14T04:49:48Z sshd[71851]: rekeyed outbound cipher
2020-09-14T04:49:48Z sshd[71851]: rekeyed inbound cipher
VMware ESXi, 6.5.0, 8294253
Hey,
Could you please run the next: less /var/log/hostd.log |grep -i
'password'
You should see a log line where it says "Rejected" password and from which IP is from. From there we can work on identifying from where the connectivity is flowing.
hey, hope you are doing fine
ran trough the same issue a couple weeks before, this is mostly related to some server trying to access your esxi via SSH.
The first thing you should do is disable SSH on the host
then, proceed with RCA just as Lalegre stated.
Warm regards
Hi Guys,
Thanks for responding.
I got nothing from hostd.log
Hey,
What you can see on the auth.log and shell.log. Does it show the source IP where is trying to connect?
Hi
some time ago i had the same issues.
At my side it was a RaidManager Software, who tried to login with false credentials..
Cheers