Attacks from a vps

[runo10]

Hello everyone,

I use proxmox with virtualizor. And There was attacks from one of vps. When I check, it look closed for 2 days. But there was attacks in that two days too. When I check pmacct traffic logs there is no traffic in that 2 days. Is there way to it looks stopped but running? Or my server infected and logs are missing? Or another vps using that ip and mac but there are no logs, so I think problem is on the server?

 

[_gabriel]

There was attacks from one of vps

How do you conclude that ?

BTW, first recommendation is :
do not expose publicly PVE.
Use firewall to whitelist ip or vpn.

 

[runo10]

How do you conclude that ?

BTW, first recommendation is :
do not expose publicly PVE.
Use firewall to whitelist ip or vpn.

Where I lease the server, send me message about attacks from vps id. Their firewall caught attacks.

Probably I will reinstall server the guaraantee security. But Is virtualizor safe to use? And what I need to do for full secure system.

You suggest me I connect to vpn and only its ip will be allowed for server?

 

[_gabriel]

Their firewall caught attacks

What does that mean ?
You need to post facts, like real messages, logs or errors.
it's expected that firewall show scan and login attempts to exposed hosts. it's doesn't mean an attack.

You suggest me I connect to vpn

No, I mean self hosted vpn.

only its ip will be allowed for server

it's another way, instead self hosted vpn, you can allow only specified ip (only valid if you have WAN fixed ip).

what I need to do for full secure system.

There isn't one anwser, it depends, each case has prerequisites and constraints.

 

[runo10]

What does that mean ?
You need to post facts, like real messages, logs or errors.
it's expected that firewall show scan and login attempts to exposed hosts. it's doesn't mean an attack.


No, I mean self hosted vpn.


it's another way, instead self hosted vpn, you can allow only specified ip (only valid if you have WAN fixed ip).


There isn't one anwser, it depends, each case has prerequisites and constraints.

Here is what they caught. My concern is this attacks made from an vds ip but my server didnt log them or logs removed? And VDS looks stopped for two days. But there are attacks.

 

[_gabriel]

this attacks made from an vds ip

As said, it's only bots which try credentials.
Not worry, if you have robust password.
As SSH on port 22 is the most used, providers enable "Fail2ban" to mitigate attempts, but nowadays bots has many other ip to continue the job.
As said, only whitelisting access by ip or vpn can prevent these attempts.

my server didnt log them or logs removed

Why you think that ?
Fail2ban of the host isn't managed by you ?

VDS looks stopped for two days

Facts ?

BTW, As English isn't my language, I don't understand all the words fully , and writing back what I want in English is even more difficult.
So, don't get me wrong with my wording.

 

[runo10]

As said, it's only bots which try credentials.
Not worry, if you have robust password.
As SSH on port 22 is the most used, providers enable "Fail2ban" to mitigate attempts, but nowadays bots has many other ip to continue the job.
As said, only whitelisting access by ip or vpn can prevent these attempts.


Why you think that ?
Fail2ban of the host isn't managed by you ?



Facts ?

BTW, As English isn't my language, I don't understand all the words fully , and writing back what I want in English is even more difficult.
So, don't get me wrong with my wording.

I have a server. It has VDSs for customers. One of VDSs of customers attacks outside of server. Fail2ban is from where I lease server. IP in logs belongs to a vds. And VDS not working for 2 days, when I check virtualizor.

 

[Shannon Barber]

But Is virtualizor safe to use?

No.

You suggest me I connect to vpn and only its ip will be allowed for server?

At a minimum.

 

[weconnect]

so one of your customers VMs is attacking other servers is that correct?

 

[runo10]

so one of your customers VMs is attacking other servers is that correct?

Yes but VM was closed/stopped when some of attacks happens. And no traffic logs in server.

 

[weconnect]

Yes but VM was closed/stopped when some of attacks happens. And no traffic logs in server.

My guess is that someone gained access via SSH if it was exposed to the internet and not locked down.
do you have access to a virtual firewall that the host has?

i know Proxmox has a virtual firewall we use it to lock down ssh etc.

 

[runo10]

No.


At a minimum.

Why virtualizor is not safe? Do you see any bad experience. What will you suggest for billing and management?

Do you have any other security advises?

 

[runo10]

My guess is that someone gained access via SSH if it was exposed to the internet and not locked down.
do you have access to a virtual firewall that the host has?

i know Proxmox has a virtual firewall we use it to lock down ssh etc.

But it looks closed/stopped so I thought that access in mainserver? Actually I will reinstall to not take risk. Do you have any suggestion? Is virtualizor safe or any other suggestion?

 

[weconnect]

But it looks closed/stopped so I thought that access in mainserver? Actually I will reinstall to not take risk. Do you have any suggestion? Is virtualizor safe or any other suggestion?

We selfhost our Proxmox Cluster. but i would go with Hetzner if you can create a account we use it for some of our clients and it works great.

dont know what you needs are but Hetzner is just a VPS hosting provider and it lets you adda virtual firewall to lock down ports etc.

what was hosted on that VPS a webserver a fileserver? if webserver was it pure html or php? if php what php version?

 

[runo10]

We selfhost our Proxmox Cluster. but i would go with Hetzner if you can create a account we use it for some of our clients and it works great.

dont know what you needs are but Hetzner is just a VPS hosting provider and it lets you adda virtual firewall to lock down ports etc.

what was hosted on that VPS a webserver a fileserver? if webserver was it pure html or php? if php what php version?

I have a server in datacenter, and it use proxmox and virtualizor. And vds inside it for customers who wants vds.

 

[_gabriel]

But it looks closed/stopped so I thought that access in mainserver?

Again, don't conclude something without facts.
Compromised VM cannot access host, that's the point of the virtualization.

Actually I will reinstall to not take risk.

Reinstalling host isn't required.
Check journalctl/eventlog of VM/VPS/VDS perhaps there is just a simple shutdown.

use proxmox and virtualizor

Here is forum for Proxmox side only.
Virtualizor overlay need to be abstracted from your posts.

 

[runo10]

Again, don't conclude something without facts.
Compromised VM cannot access host, that's the point of the virtualization.


Reinstalling host isn't required.
Check journalctl/eventlog of VM/VPS/VDS perhaps there is just a simple shutdown.

Here is forum for Proxmox side only.
Virtualizor overlay need to be abstracted from your posts.

You dont even get the problem. What will change if I will find shutdown? That means there is attack when vm is closed. Why host reinstall is not required then? Do you understand that is impossible when a vm closed and attacking ? I research there are ghost situations, or probability of access to host server. But you talk irrelevant things about my situation.

And I know this is a Proxmox forum. But proxmox is a vm/kvm management software. Also I dont ask problems about Virtualizor. I ask about proxmox experiences with Virtualizor or suggessions to others like whmcs etc. You may not make the distinction but please dont sabotage the discussion anymore

 

[weconnect]

You dont even get the problem. What will change if I will find shutdown? That means there is attack when vm is closed. Why host reinstall is not required then? Do you understand that is impossible when a vm closed and attacking ? I research there are ghost situations, or probability of access to host server. But you talk irrelevant things about my situation.

And I know this is a Proxmox forum. But proxmox is a vm/kvm management software. Also I dont ask problems about Virtualizor. I ask about proxmox experiences with Virtualizor or suggessions to others like whmcs etc. You may not make the distinction but please dont sabotage the discussion anymore

if someone gained unauth access to your proxmox host then you need to secure it.
Like only allow access from trusted IPs or locked down with MFA etc.
i dont have proxmox on the public internet.
i have it behind a firewall locked down tight.

we use WHMCS but its just a management interface for customers for stuff like services etc..
if a customers VM was attacking other vms then its a issue with that VM and not with Virtualizor. i hope that the customer in Virtualizor dont have access to ssh from the GUI or someting else. then you need to check for logins etc.
Seems like you need to get payed help to figure this out.

as we dont have access to the server logs etc we cant help.
and you have not said what you use to protect against ssh attacks etc. i hope that you locked down SSH access to the clients servers if they are linux or lock down RDP if windows. if not then now is a good time to implement it.

the user above asks the correct questions to gain more understanding of your issue.