ESXi

 View Only
  • 1.  root is always locked

    Posted Sep 10, 2021 06:25 AM

    Hey,

    im completly new to ESXI, I took over the structure from the admin before me but he didnt teach me anything about ESXI.

    Now I've got a big problem, the root user is always getting locked when I try to open it via IP in the browser

    I need to go down to our Server, where I can login with the root user, whats kind of strange that its working there and restart a service there, then I got a timeframe from round about 1 minute where I can login in the browser, then its blocked again.

    I checked veeam, even completly uninstalled it, so no old credential is being used. In PRTG there is nothing too and we're not using any other software for surveillance or backup. 

    Anybody knows what I can check to solve this problem?



  • 2.  RE: root is always locked

    Posted Sep 10, 2021 06:33 AM

    Ciao 

    Try this 

    1. At the console press CTRL+ALT+F2 to get to the ESXi shell. If a login shows up continue with step 3, otherwise continue with step 2.
    2. Login to the DCUI (to enable the ESXi Shell if not already done)
    3. Login with root and the correct password.
    4. Go to Troubleshooting Options
    5. Select Enable ESXi Shell
    6. Press CTRL+ALT+F1
    7. At the ESXi shell login with root and the password
    8. Run the following commands to show number of failed attempts:

     

    pam_tally2 --user root

    Run the following command to unlock the root account:

    pam_tally2 --user root --reset


  • 3.  RE: root is always locked

    Posted Sep 10, 2021 07:07 AM

    Thanks for that.

    but the root account always getting locked, there is an login attempt every 5 seconds from an unknown ressource.

    2 Minutes ago it was ~3650 login failed attempts, can I somehow pinpoint from where it is coming?



  • 4.  RE: root is always locked

    Posted Sep 10, 2021 07:43 AM

    Ciao 

    From console try this command 

    grep failure /var/log/auth.log

    you should see in the output the IP from which the connections fail, for example:

    2021-03-11T13:05:47Z sshd[73984196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.100.23 user=root
    2021-03-11T13:05:49Z sshd[73984194]: error: PAM: Authentication failure for root from 172.16.100.23



  • 5.  RE: root is always locked

    Posted Sep 10, 2021 09:03 AM
      |   view attached

    Thanks again for that.

    I checked now several times but the login attempts are not shown in the log, they're seriously unknown.

    And I cant even connect via putty, only local in front of the server...

     

    7:55 was the last manual login attempt but 08:37 an automatic from unknown.



  • 6.  RE: root is always locked

    Posted Sep 10, 2021 09:39 AM

    Ciao

    in the meantime, we could create an alternative administrative account to access via SSH or via WEB
    from the console launch the following commands (the password must be complex)

    esxcli system account add -d="description" -i="<username>" -p="<password>" -c="<password>"
    esxcli system permission set -i="<username>" -r="Admin"


    after that with this new user, you should be able to log in.
    Once you have accessed the GUI we can disable the root user lock so that it never locks again or do some further checks.

    Is the ESXi host connected to a vCenter?



  • 7.  RE: root is always locked

    Posted Sep 10, 2021 10:17 AM

    Hey,

     

    when I try to use this command, it always tells me, that "A specified parameter was not correct id"

    tried several usernames after -i"<username>" but it wont let me crate one.

    I restarted the management serives again, and now im at least logged in on my PC and dont need to go to the server room.

    Deactivated the 15 minute AFK Timer too, so no auto logout.

    And we dont have a vCenter.



  • 8.  RE: root is always locked

    Posted Sep 10, 2021 12:50 PM

    Ciao 

    this is the command that I use to create an account Fabio with password password1!

    esxcli system account add -d="description" -i="fabio" -p="password1!" -c="password1!"

    anyway .....

    let's try to see from which IP any traffic to the ESXi management interface comes from
    we identify the interface (normally vmk0) with this command (the affected vmk is the one with the IP of the ESXi host):

    esxcli network ip interface list

    fabio1975_0-1631277986532.png

     

    and then we run the dump command:

     

    tcpdump-uw -i vmk0

    and we will see all connections with source IP:

    fabio1975_1-1631278173756.png

     

     

    and let's see if there are any connections from IP with applications that try to log in to the ESXi host or to strange IPs