pulse fills syslog with flood messages

I

ieronymous

Well-Known Member
Apr 1, 2019
288
24
58
46
Hi
After installing pulse monitor for proxmox (in LXC), i have flooded in messages, like below
DemoProx sshd-session[32039]: Connection closed by authenticating user root 192.168.20.15 port 50520 [preauth]

These messages are non stop and port changes in each line. The preauth tag means it happened before login succeeded — so it’s not a successful root login, just a connection attempt.
Anyone else noticed that? A mitigation to this issue?
 
daweysmithy said:
It sounds like what you’re experiencing is a result of automated bots scanning and attempting to brute force an SSH connection. This is a common issue, especially if your server is exposed to the internet. One mitigation step you can take is to change the default SSH port to something less obvious—it won’t stop determined attackers, but it can reduce the noise significantly. Another helpful measure is setting up a tool like <span>fail2ban</span>, which can detect and temporarily block repeated failed login attempts. You could also consider disabling root login entirely and using SSH keys instead of password authentication for added security. Finally, if these attempts are coming from a specific IP range, adding a firewall rule to block those IPs might also help. Hope these suggestions give you a good starting point!
Click to expand...

Even though it seems like an attempt for intrusion, is far from that. The service isn t exposed to the internet, the ip comes from the server accommodating pulse and it begins immediately after I deploy the agent via script provided by the program it self after I fill in the proxmox ip.

Apart from that and since I ve read the way it works, it seems that even if I explicitly mention to use token api for the connection that damn thing still tries via sshd and it fails. Somewhere else I ve read that this is the way it works by ssh, which means after specific intervals it semi-reaches the server as a node, vm and storage auditor (permissions have been decaled to the appropriate fields by the script - checked that multiple times), reads something and eliminates the short ssh connection. So the whole message includes 3 more lines and repeats itself every 10 seconds or so.

In conclusion, issue is that I can t get it to use the api token somehow. I used the manual way as well except the automated way. I don't know if this is a bug of the new version since it seems to have been updated recently.
 
You must log in or register to reply here.
Top Bottom