2

I have a SuperMicro server with ESXi 6.5 installed on it. It worked fine until recently when I found I was unable to login. Checking the logfiles shows that something is attempting to log in as "root" unsuccessfully and locking the username out repeatedly.

I am not overly worried from a security perspective – the device is only accessible within the local network and we are a small office. We also produce software which performs network scans. The most likely reason is that a piece of software has been instructed (incorrectly) to poll my device with a certain username and password combination that does not work.

The log files show the following:

Remote access for ESXi local user account 'root' has been locked for 120 seconds after xxx failed login attempts.

Infuriatingly, for some reason the log files don't say the IP address of the device attempting to log in, which makes it much harder for me to throw the problem device out of the window.

Am I missing something? Is there some way from the front-end management interface (since naturally I am locked out of the thin client and vSphere has gone the way of the dinosaur) that I can find out who's trying to log into my device?

seagull
  • 151
  • 2
  • 5

1 Answers1

1

If the failed logins happen via the vSphere Client or any other way using the web based API (port 443) like PowerCLI etc. then you can find log entries like

Rejected password for user [username] from [ipaddress]

in the log file /var/log/hostd.log. Find them with a shell command like

grep Rejected /var/log/hostd.log

If the failed logins happen via ssh (if this service is running and not restricted by the builtin firewall, which is an absolute no-go) then you find entries like

error: PAM: Authentication failure for [username] from [ipaddress]

in the log file /var/log/auth.log. Find them with a shell command like

grep failure /var/log/auth.log
VFrontDe
  • 1,478
  • 8
  • 11