Today I missed root password for my new vSphere ESXi 6.0 and I was trying multiple password to login, finally I got the right one. To my surprise in the events I saw the below
Remote access for ESXi local user account ‘root’ has been locked for 120 seconds after 11 failed login attempts.
At the same time I could not login to the vSphere client although I was using the right password.
Wow, this is new in vSphere ESXi 6.0, never heard of this before!
I referred to the VMware’s Product documentation, In the section ESXi Passwords, ESXi Pass Phrases, and Account Lockout of the ESXi and vCenter Server 6.0 documentation I found the following information:
ESXi Account Lockout Behavior
Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of ten failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default.
You can configure the login behavior with the following advanced options:
•Security.AccountLockFailures. Maximum number of failed login attempts before a user’s account is locked. Zero disables account locking.
•Security.AccountUnlockTime. Number of seconds that a user is locked out.
And indeed this is new in version 6.0!
This is one of the best practices for ESXi, that are mandatory for production use.
I hope this information useful.