iranna_totagi
Contributor
Contributor

ESXi root password is getting locked frequently

pastedImage_1.png

ESXi root password is getting locked frequently

I found that no machine/agent is used to authenticate ESXi server:

I rebooted ESXi several times.

Same issue.

Earlier the ESXi version was:

VMware ESXi, 6.5.0, 8294253

I even upgraded ESXi to patch but still seeing same issues:

VMware ESXi 6.5.0 build-16576891, Update 3

[root@btp01esx16:/var/log] pam_tally2 --user root

Login           Failures Latest failure     From

root              250    09/14/20 05:29:57  unknown

[root@btp01esx16:/var/log] pam_tally2 --user root --reset

Login           Failures Latest failure     From

root              250    09/14/20 05:29:57  unknown

I see following lines are continuosly recorded on /var/log/auth.log

2020-09-13T04:49:32Z sshd[71851]: rekeyed inbound cipher

2020-09-13T05:49:32Z sshd[71851]: rekeyed outbound cipher

2020-09-13T05:49:32Z sshd[71851]: rekeyed inbound cipher

2020-09-13T06:49:33Z sshd[71851]: rekeyed outbound cipher

2020-09-13T06:49:33Z sshd[71851]: rekeyed inbound cipher

2020-09-13T07:49:33Z sshd[71851]: rekeyed outbound cipher

2020-09-13T07:49:34Z sshd[71851]: rekeyed inbound cipher

2020-09-13T08:49:34Z sshd[71851]: rekeyed outbound cipher

2020-09-13T08:49:34Z sshd[71851]: rekeyed inbound cipher

2020-09-13T09:49:35Z sshd[71851]: rekeyed outbound cipher

2020-09-13T09:49:35Z sshd[71851]: rekeyed inbound cipher

2020-09-13T10:49:35Z sshd[71851]: rekeyed outbound cipher

2020-09-13T10:49:36Z sshd[71851]: rekeyed inbound cipher

2020-09-13T11:49:36Z sshd[71851]: rekeyed outbound cipher

2020-09-13T11:49:36Z sshd[71851]: rekeyed inbound cipher

2020-09-13T12:49:37Z sshd[71851]: rekeyed outbound cipher

2020-09-13T12:49:37Z sshd[71851]: rekeyed inbound cipher

2020-09-13T13:49:37Z sshd[71851]: rekeyed outbound cipher

2020-09-13T13:49:38Z sshd[71851]: rekeyed inbound cipher

2020-09-13T14:49:38Z sshd[71851]: rekeyed outbound cipher

2020-09-13T14:49:38Z sshd[71851]: rekeyed inbound cipher

2020-09-13T15:49:39Z sshd[71851]: rekeyed outbound cipher

2020-09-13T15:49:39Z sshd[71851]: rekeyed inbound cipher

2020-09-13T16:49:40Z sshd[71851]: rekeyed outbound cipher

2020-09-13T16:49:40Z sshd[71851]: rekeyed inbound cipher

2020-09-13T17:49:40Z sshd[71851]: rekeyed outbound cipher

2020-09-13T17:49:41Z sshd[71851]: rekeyed inbound cipher

2020-09-13T18:49:41Z sshd[71851]: rekeyed outbound cipher

2020-09-13T18:49:41Z sshd[71851]: rekeyed inbound cipher

2020-09-13T19:49:42Z sshd[71851]: rekeyed outbound cipher

2020-09-13T19:49:42Z sshd[71851]: rekeyed inbound cipher

2020-09-13T20:49:42Z sshd[71851]: rekeyed outbound cipher

2020-09-13T20:49:42Z sshd[71851]: rekeyed inbound cipher

2020-09-13T21:49:43Z sshd[71851]: rekeyed outbound cipher

2020-09-13T21:49:43Z sshd[71851]: rekeyed inbound cipher

2020-09-13T22:49:44Z sshd[71851]: rekeyed outbound cipher

2020-09-13T22:49:44Z sshd[71851]: rekeyed inbound cipher

2020-09-13T23:49:44Z sshd[71851]: rekeyed outbound cipher

2020-09-13T23:49:45Z sshd[71851]: rekeyed inbound cipher

2020-09-14T00:49:45Z sshd[71851]: rekeyed outbound cipher

2020-09-14T00:49:45Z sshd[71851]: rekeyed inbound cipher

2020-09-14T01:49:46Z sshd[71851]: rekeyed outbound cipher

2020-09-14T01:49:46Z sshd[71851]: rekeyed inbound cipher

2020-09-14T02:49:46Z sshd[71851]: rekeyed outbound cipher

2020-09-14T02:49:47Z sshd[71851]: rekeyed inbound cipher

2020-09-14T03:49:47Z sshd[71851]: rekeyed outbound cipher

2020-09-14T03:49:47Z sshd[71851]: rekeyed inbound cipher

2020-09-14T04:49:48Z sshd[71851]: rekeyed outbound cipher

2020-09-14T04:49:48Z sshd[71851]: rekeyed inbound cipher

VMware ESXi, 6.5.0, 8294253

5 Replies
Lalegre
Virtuoso
Virtuoso

Hey,

Could you please run the next: less /var/log/hostd.log |grep -i 'password'

You should see a log line where it says "Rejected" password and from which IP is from. From there we can work on identifying from where the connectivity is flowing.

nachogonzalez
Commander
Commander

hey, hope you are doing fine
ran trough the same issue a couple weeks before, this is mostly related to some server trying to access your esxi via SSH.

The first thing you should do is disable SSH on the host
then, proceed with RCA just as Lalegre stated.


Warm regards

iranna_totagi
Contributor
Contributor

Hi Guys,

Thanks for responding.

I got nothing from hostd.log

pastedImage_1.png

Lalegre
Virtuoso
Virtuoso

Hey,

What you can see on the auth.log and shell.log. Does it show the source IP where is trying to connect?

0 Kudos
Hr_Ross76
Enthusiast
Enthusiast

Hi

some time ago i had the same issues.

At my side it was a RaidManager Software, who tried to login with false credentials..

Cheers

0 Kudos