Information
The security control involves restricting account access following a specified number of failed login attempts, acting as a deterrent against brute-force attacks. This control is applicable for SSH and vSphere Web Services SDK access, though not for the Direct Console Interface (DCUI) and the ESXi Shell. A default setting allows five failed attempts before account lockout, with automatic unlock after 15 minutes. The parameter governing this behavior is Security.AccountLockFailures with a recommended setting of 5.
Implementing this control bolsters the host's resilience against unauthorized access attempts, safeguarding system integrity. By thwarting brute-force attacks, it significantly elevates the security posture, making unauthorized access more challenging.
Solution
To set the maximum failed login attempts correctly, perform the following steps:
- From the vSphere Web Client, select the host.
- Click Configure then expand System
- Select Advanced System Settings then click Edit
- Enter Security.AccountLockFailures in the filter.
- Set the value for this parameter to 5
Alternately, use the following PowerCLI command:
Get-VMHost | Get-AdvancedSetting -Name Security.AccountLockFailures | Set-AdvancedSetting -Value 5
Impact:
A potential downside is the inadvertent denial-of-service scenario, especially with a low threshold for login failures. This could be exploited maliciously or trigger accidental lockouts, impacting system accessibility and possibly demanding additional administrative effort for account resets.