Sunday, February 14, 2021

Detecting source of ESXi login failure


  Sometimes we may encounter unexpected or unknown login issues for the ESXi hosts and see some errors like the "remote access for ESXi local user account 'root' has been locked for 900 seconds after xx failed login attempt" in the vSphere client. In most cases we know they are related to the changing credentials and forgot to set them again on the connected solutions, like Backup servers or Monitoring systems. But what can we do if we couldn't find the reason for the login failure?! What should we do if we couldn't reach the real source of the problem? Is it related to a wrong credential truly, or is it a part of a hacking operation (like password guessing)?

  We know there are many log files (/var/log or /scratch/log) for the ESXi host, and with respect to the troubleshooting purposes, they are very useful to discover and realize each aspect of problematic situations. So for this mentioned issue, we can go to the following log (hostd.log) file and investigate the depth of its details.

# grep Rejected /var/log/hostd.log

or 

# cat /var/log/hostd.log | grep Rejected

After you find the source of credential rejection, then you can manually understand the root cause. Is it related to an attack preparation or forgotten password changing operation?

No comments:

Post a Comment

I will start a new journey soon ...