Am I under attack?

[OD3UNICRON]

Oct 25 18:07:14 UniMatrix003 sshd[643282]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=152.32.147.9
Oct 25 18:07:17 UniMatrix003 sshd[643282]: Failed password for invalid user farzanerz from 152.32.147.9 port 55864 ssh2
Oct 25 18:07:18 UniMatrix003 sshd[643282]: Received disconnect from 152.32.147.9 port 55864:11: Bye Bye [preauth]
Oct 25 18:07:18 UniMatrix003 sshd[643282]: Disconnected from invalid user farzanerz 152.32.147.9 port 55864 [preauth]
Oct 25 18:07:29 UniMatrix003 sshd[643348]: Invalid user egarcia from 47.236.82.200 port 60522
Oct 25 18:07:29 UniMatrix003 sshd[643348]: pam_unix(sshd:auth): check pass; user unknown
Oct 25 18:07:29 UniMatrix003 sshd[643348]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.236.82.200
Oct 25 18:07:31 UniMatrix003 sshd[643348]: Failed password for invalid user egarcia from 47.236.82.200 port 60522 ssh2
Oct 25 18:07:33 UniMatrix003 sshd[643348]: Received disconnect from 47.236.82.200 port 60522:11: Bye Bye [preauth]
Oct 25 18:07:33 UniMatrix003 sshd[643348]: Disconnected from invalid user egarcia 47.236.82.200 port 60522 [preauth]
Oct 25 18:07:37 UniMatrix003 sshd[643410]: Invalid user sreng from 141.95.162.177 port 54240
Oct 25 18:07:37 UniMatrix003 sshd[643410]: pam_unix(sshd:auth): check pass; user unknown
Oct 25 18:07:37 UniMatrix003 sshd[643410]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=141.95.162.177
Oct 25 18:07:39 UniMatrix003 sshd[643410]: Failed password for invalid user sreng from 141.95.162.177 port 54240 ssh2
Oct 25 18:07:41 UniMatrix003 sshd[643410]: Received disconnect from 141.95.162.177 port 54240:11: Bye Bye [preauth]
Oct 25 18:07:41 UniMatrix003 sshd[643410]: Disconnected from invalid user sreng 141.95.162.177 port 54240 [preauth]
Oct 25 18:08:07 UniMatrix003 sshd[643608]: Invalid user net from 36.111.176.54 port 48144
Oct 25 18:08:07 UniMatrix003 sshd[643608]: pam_unix(sshd:auth): check pass; user unknown
Oct 25 18:08:07 UniMatrix003 sshd[643608]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.111.176.54
Oct 25 18:08:08 UniMatrix003 sshd[643608]: Failed password for invalid user net from 36.111.176.54 port 48144 ssh2
Oct 25 18:08:09 UniMatrix003 sshd[643608]: Received disconnect from 36.111.176.54 port 48144:11: Bye Bye [preauth]
Oct 25 18:08:09 UniMatrix003 sshd[643608]: Disconnected from invalid user net 36.111.176.54 port 48144 [preauth]
Oct 25 18:08:17 UniMatrix003 sshd[643676]: Invalid user mounajyoti from 161.49.89.39 port 60436
Oct 25 18:08:17 UniMatrix003 sshd[643676]: pam_unix(sshd:auth): check pass; user unknown
Oct 25 18:08:17 UniMatrix003 sshd[643676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=161.49.89.39
Oct 25 18:08:18 UniMatrix003 sshd[643676]: Failed password for invalid user mounajyoti from 161.49.89.39 port 60436 ssh2
Oct 25 18:08:20 UniMatrix003 sshd[643676]: Received disconnect from 161.49.89.39 port 60436:11: Bye Bye [preauth]
Oct 25 18:08:20 UniMatrix003 sshd[643676]: Disconnected from invalid user mounajyoti 161.49.89.39 port 60436 [preauth]
Oct 25 18:08:20 UniMatrix003 sshd[643689]: Invalid user behish from 171.244.37.97 port 46964
Oct 25 18:08:20 UniMatrix003 sshd[643689]: pam_unix(sshd:auth): check pass; user unknown
Oct 25 18:08:20 UniMatrix003 sshd[643689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=171.244.37.97
Oct 25 18:08:22 UniMatrix003 sshd[643689]: Failed password for invalid user behish from 171.244.37.97 port 46964 ssh2
Oct 25 18:08:23 UniMatrix003 sshd[643689]: Received disconnect from 171.244.37.97 port 46964:11: Bye Bye [preauth]
Oct 25 18:08:23 UniMatrix003 sshd[643689]: Disconnected from invalid user behish 171.244.37.97 port 46964 [preauth]
Oct 25 18:08:23 UniMatrix003 sshd[643708]: Invalid user pouriamg from 83.12.113.122 port 48264
Oct 25 18:08:23 UniMatrix003 sshd[643708]: pam_unix(sshd:auth): check pass; user unknown
Oct 25 18:08:23 UniMatrix003 sshd[643708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=83.12.113.122
Oct 25 18:08:25 UniMatrix003 sshd[643708]: Failed password for invalid user pouriamg from 83.12.113.122 port 48264 ssh2
Oct 25 18:08:26 UniMatrix003 sshd[643708]: Received disconnect from 83.12.113.122 port 48264:11: Bye Bye [preauth]
Oct 25 18:08:26 UniMatrix003 sshd[643708]: Disconnected from invalid user pouriamg 83.12.113.122 port 48264 [preauth]
Oct 25 18:08:30 UniMatrix003 sshd[643761]: Invalid user implicit from 58.78.72.114 port 51098
Oct 25 18:08:30 UniMatrix003 sshd[643761]: pam_unix(sshd:auth): check pass; user unknown
Oct 25 18:08:30 UniMatrix003 sshd[643761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.78.72.114
Oct 25 18:08:32 UniMatrix003 sshd[643761]: Failed password for invalid user implicit from 58.78.72.114 port 51098 ssh2
Oct 25 18:08:34 UniMatrix003 sshd[643761]: Received disconnect from 58.78.72.114 port 51098:11: Bye Bye [preauth]
Oct 25 18:08:34 UniMatrix003 sshd[643761]: Disconnected from invalid user implicit 58.78.72.114 port 51098 [preauth]

This is from my System log.

 

[marcioindau]

yes, you are.

 

[esi_y]

This is normal experience when you expose port 22 to the Internet. The issue with PVE is that it is NOT designed to be exposed to the public, e.g. it ships with root login allowed over SSH with a mere password.
Do not give your host any public IPs.

See also: https://bugzilla.proxmox.com/show_bug.cgi?id=5816

 

[_gabriel]

The issue with PVE is that it is NOT designed to be exposed to the public

Wrong wording, ANY hypervisor shouldn't be exposed to the public, this is not specific to PVE.

 

[esi_y]

Wrong wording, ANY hypervisor shouldn't be exposed to the public, this is not specific to PVE.

I can leave e.g. Debian (with disabled root login) that is updated on a public IP with no firewall and just collect these logs. I would not leave it like that if it installed with PermitRootLogin yes. And this is me, who also filed e.g. the firewall bootup bug.

 

[pvps1]

it's good practice to not expose pve to the public.
you should access pve over a vpn or internal networks. block ssh on public interface or configure sshd to not listen on that interface.

if and only if you cannot do this: disallow login with passwords (key only) and install some kind of IPS like fail2ban.

brute force attacks on port 22 are common daily business

 

[esi_y]

disallow login with passwords (key only) and install some kind of IPS like fail2ban.

Then he needs to be able to deal with this:
https://bugzilla.proxmox.com/show_bug.cgi?id=5736

And he will have other (than 22) ports open, with a firewall solution provided that may not load the rulest:
https://bugzilla.proxmox.com/show_bug.cgi?id=5759

 

[pvps1]

ad sshd: we deploy our keys to a separated file, not to authorized_keys of the cluster (didnt read the full bugreport though)
ad other ports: sshd was the example for one service. I encourage people to understand "concepts" and not just copy/paste

 

[esi_y]

ad sshd: we deploy our keys to a separated file, not to authorized_keys of the cluster (didnt read the full bugreport though)

The OP can't guess this.

ad other ports: sshd was the example for one service. I encourage people to understand "concepts" and not just copy/paste

I don't want the OP to think that PVE is somehow fine to be on the Internet with passwordless SSH.

 

[pvps1]

The OP can't guess this.



I don't want the OP to think that PVE is somehow fine to be on the Internet with passwordless SSH.

you are right.

 

[esi_y]

you are right.

I think you are the first person on the forum after 1 year that said this to my points. I hope it was not sarcastic.

(It's good points in general, but I just had the not-that-pleasant conversation in the BZ about people who keep 8006 open to the world with the reasoning from staff that everyone kind of knows they are not supposed to, so that's where I was coming from spotting OP like this.)