[SOLVED] I think someone is trying to connect to my proxmox

Bala

New Member
Jun 21, 2023
17
0
1
Hello there! (Sorry for my bad english)

I am really new to proxmox (and linux in general), I'm not even sure if this is the place I'm supposed to write this.
So I installed proxmox a week ago, I plan to set up a NAS and other stuff in the future, but now I only have an Ubuntu VM right now. I try to be as vigiliant as I can be, so I check the syslog every time before I shutdown my server. Things seemed to be pretty okay, but today I saw a few concerning things (the images I attached). This ip (192.168.0.108) belongs to a computer on my network, that my family only uses for stuff like watching youtube and Netflix, because it's an old computer, and we weren't sure if it had a malware or something. Nobody in my family tried to login from that computer, so it's either really infected by something, or I just really misunderstood what these logs say, or how networks work (I'm pretty new to that stuff too).

I've already set up 2fa, and these login attempts tried usernames like "Administrator", "Admin", "Sysadm", "user", etc., so whoever tried to login doesn't even know I'm using proxmox, because then they would've tried to login using root, so I think I should be safe.

How concerned should I be, and what should I do? Should I tighten my security somehow? Should I just simply erase everything from the suspected computer and reinstall an OS from zero, to erase the malware for good?

And since they only tried to login a couple of times, do you think they have the passwords stored on that computer, or they just tried some basic ones like "12345"? (I've never used that computer for anything, so my passwords aren't on it)
 

Attachments

  • ProxMox screenshot1.png
    ProxMox screenshot1.png
    105.3 KB · Views: 42
  • ProxMox screenshot2.png
    ProxMox screenshot2.png
    107.9 KB · Views: 39
Yes, it looks like the reported host is infected. If it's an old computer and only used to watch videos it's probably an even better idea to install some Linux distribution and be much better protected from such malware in general. Maybe data were stolen from the infected host but I doubt that you're able to verify what happened exactly. If you connect something to the infected host while it's running or if you back up data from it it could be possible that you spread infected files to other hosts. Although, if the malware runs only on Windows then it will not harm a Linux installation.

Regarding your Proxmox VE installation, with a good (and unique) password/passphrase you're on the safe side. 2FA protects your login from such attacks even more.

I think the tried passwords are stored somehow on the infected host but those lists are endless and made of frequently used/leaked passwords.
 
Last edited:
  • Like
Reactions: Bala
And keep in mind to change all of the passwords of websites you used with that machine. If that host can try to attack other hosts, it probably also logged all passwords you typed in on that machine...
 
  • Like
Reactions: Bala
A couple of notes.
These appear as a break in attempt by brute force by dictionary. In other words, a script is run that attempts loads of login names, including root.
Are you sure these are coming from the LAN? If yes, then indeed there is a chance that machine is infected and trying to move laterally in your network. If is the WAN, then it is "normal" to the extent this is what firewalls are there to protect from, and it doesn't happen when ports are simply forwarded. Source IPs can be faked. Firewalls fails them as part of "bogons" on WANS by default.
Set SSH servers to NOT allow root login.
 
  • Like
Reactions: Bala
Yes, it looks like the reported host is infected. If it's an old computer and only used to watch videos it's probably an even better idea to install some Linux distribution and be much better protected from such malware in general. Maybe data were stolen from the infected host but I doubt that you're able to verify what happened exactly. If you connect something to the infected host while it's running or if you back up data from it it could be possible that you spread infected files to other hosts. Although, if the malware runs only on Windows then it will not harm a Linux installation.

Regarding your Proxmox VE installation, with a good (and unique) password/passphrase you're on the safe side. 2FA protects your login from such attacks even more.

I think the tried passwords are stored somehow on the infected host but those lists are endless and made of frequently used/leaked passwords.
And keep in mind to change all of the passwords of websites you used with that machine. If that host can try to attack other hosts, it probably also logged all passwords you typed in on that machine...
Thanks for the help, I will do these.
 
A couple of notes.
These appear as a break in attempt by brute force by dictionary. In other words, a script is run that attempts loads of login names, including root.
Are you sure these are coming from the LAN? If yes, then indeed there is a chance that machine is infected and trying to move laterally in your network. If is the WAN, then it is "normal" to the extent this is what firewalls are there to protect from, and it doesn't happen when ports are simply forwarded. Source IPs can be faked. Firewalls fails them as part of "bogons" on WANS by default.
Set SSH servers to NOT allow root login.
I only have one port forwarded, but it's one of the ports of my VM, so my proxmox should still only be accessable from my own network. Except if there is a way to access proxmox from a VM's port.
 
It depends. Say for example you are forwarding port 22 or a custom one for ssh access to the VM. The port is forwarded at the router which is also normally the firewall. So the traffic goes unimpeded to the VM. If that VM doesn't have ssh hardened and gets compromised, that's it, they're in. From there, the miscreants can start moving around inside your network.
 
  • Like
Reactions: Bala
It depends. Say for example you are forwarding port 22 or a custom one for ssh access to the VM. The port is forwarded at the router which is also normally the firewall. So the traffic goes unimpeded to the VM. If that VM doesn't have ssh hardened and gets compromised, that's it, they're in. From there, the miscreants can start moving around inside your network.
I only run a minecraft server on the Ubuntu, so I opened port 25565. As I know this should still be secure. Nothing else listens to that port to my knowledge.
 
Last edited:
  • Like
Reactions: Bala
"secure" is relative...I for example remember the log4shell vulnerability not that long ago that allowed remote code execution...not just on the minecraft server, also on all minecraft clients...I hope you patched that ;)
https://en.wikipedia.org/wiki/Log4Shell
https://www.youtube.com/watch?v=7qoPDq41xhQ

Because of such things you should run your services in a DMZ, so infected hosts can't spread that easily in your LAN.
I did not hear about this vulnerability, but I will look into it. Thanks for the information!
 
"secure" is relative...I for example remember the log4shell vulnerability not that long ago that allowed remote code execution...not just on the minecraft server, also on all minecraft clients...I hope you patched that ;)
https://en.wikipedia.org/wiki/Log4Shell
https://www.youtube.com/watch?v=7qoPDq41xhQ

Because of such things you should run your services in a DMZ, so infected hosts can't spread that easily in your LAN.
So I read about the log4shell vulnerability. I use the forge server pack, but I installed it only about a week ago, and I read that it was patched from version 1.12 to 1.18, so I should already have the updated version. As for the DMZ, I will definitely look into it.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!