Unlock root account for VMware ESXi host

If the root account get locked out by too many failed login attempts, you lose vsphere web client and ssh access to the host, the only way to unlock is to do it through DCUI console-> ESX Shell, following command will reset the root account.

pam_tally2 --user root --reset

As a best security practice, don't place the host directly on Internet, and you should set firewall rules to allow only trusted network/host to access the ESXi management interface.

In standalone ESXi host without vCenter managing it, you can only set firewall rules by esxcli through SSH or ESX Shell.

Following commands allow only network a.b.c.d/e to access vSphere web client and SSH.

esxcli network firewall ruleset set --allowed-all false --ruleset-id=vSphereClient
esxcli network firewall ruleset set --allowed-all false --ruleset-id=sshServer
esxcli network firewall ruleset allowedip add --ip-address=a.b.c.d/e --ruleset-id=vSphereClient
esxcli network firewall ruleset allowedip add --ip-address=a.b.c.d/e --ruleset-id=sshServer