My VM stops by itself

tom_chbn

New Member
Feb 4, 2021
7
0
1
24
Hello,
Since this morning, my VM (which is on Debian 10 and Plesk) stops by itself without any reason after an indeterminate time. I've looked at the logs, I can't find anything suspicious.
Do you know how I can fix the problem?
Thanks in advance.
 
hi,

have you checked the logs both inside the VM and on PVE? if you can post the syslogs that could shed some light
 
This is for the PVE :

Code:
Mar 29 00:26:27 ns3077521 sshd[1195018]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=________
Mar 29 00:26:29 ns3077521 sshd[1195018]: Failed password for invalid user user4 from ___________ port 37320 ssh2
Mar 29 00:26:30 ns3077521 sshd[1195018]: Received disconnect from ________ port 37320:11: Bye Bye [preauth]
Mar 29 00:26:30 ns3077521 sshd[1195018]: Disconnected from invalid user user4 ________ port ______ [preauth]
Mar 29 00:26:37 ns3077521 sshd[1195024]: Invalid user macintosh from _________ port 53436
Mar 29 00:26:37 ns3077521 sshd[1195024]: pam_unix(sshd:auth): check pass; user unknown
Mar 29 00:26:37 ns3077521 sshd[1195024]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=__________
Mar 29 00:26:39 ns3077521 sshd[1195024]: Failed password for invalid user macintosh from 118.27.37.117 port 53436 ssh2
Mar 29 00:26:39 ns3077521 sshd[1195024]: Received disconnect from __________ port 53436:11: Bye Bye [preauth]
Mar 29 00:26:39 ns3077521 sshd[1195024]: Disconnected from invalid user macintosh ________ port 53436 [preauth]
Mar 29 00:27:00 ns3077521 systemd[1]: Starting Proxmox VE replication runner...
Mar 29 00:27:00 ns3077521 systemd[1]: pvesr.service: Succeeded.
Mar 29 00:27:00 ns3077521 systemd[1]: Started Proxmox VE replication runner.
Mar 29 00:27:45 ns3077521 sshd[1195252]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1__________ user=root
Mar 29 00:27:46 ns3077521 sshd[1195252]: Failed password for root from 1__________ port _________ ssh2
Mar 29 00:27:48 ns3077521 sshd[1195252]: Received disconnect from _____port 54092:11: Bye Bye [preauth]
Mar 29 00:27:48 ns3077521 sshd[1195252]: Disconnected from authenticating user root ________ port 54092 [preauth]

This is for the VM :

Code:
127.0.0.1 admin [2021-03-29 23:29:30] 'Update Domain DNS Zone' ('Client GUID': '____-_______-47a7-83da-43c54409129c' => '_________-cb08-47a7-83da-43c54409129c', 'Domain GUID': '____________-3bf6-499c-acd0-ec705634a2d4' => '_______-3bf6-499c-____-ec705634a2d4', 'Domain Name': '____________' => '____________________')
162.158.155.9  [2021-03-30 06:26:19] 'CP User Login Attempt Failed' ('Client GUID': '2e36a3b4-cb08-47a7-83da-43c54409129c' => '', 'Login Name': 'admin' => '')

I have put lines for personal information

Thanks
 
from the logs it looks like someone is trying to guess your password for SSH and the control panel you're using. but i'm not sure if that is related with the problem you're having...
i'd still suggest you to install fail2ban to protect against bruteforce attempts like this.

it would help if you could post the /var/log/syslog from around the times of the reboot/shutdown/crash, from both PVE and your debian VM
 
Code:
Mar 30 00:02:29 web-fr postfix/smtpd[9789]: connect from unknown[____________]
Mar 30 00:02:30 web-fr plesk_saslauthd[9962]: failed mail authentication attempt for user 'postmaster' (password len=9)
Mar 30 00:02:30 web-fr postfix/smtpd[9789]: warning: unknown[__________]: SASL LOGIN authentication failed: authentication failure
Mar 30 00:02:31 web-fr postfix/smtpd[9789]: disconnect from unknown[________] ehlo=1 auth=0/1 quit=1 commands=2/3
Mar 30 00:02:35 web-fr named[602]: client @_________ ___________#80 (sl): query (cache) 'sl/ANY/IN' denied
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@$
Mar 30 06:23:35 web-fr kernel: [    0.000000] Linux version 4.19.0-13-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian $

Nothing happened from 00:02 to 00:28 (time of the incident)
I turned the server back on at 06:23.
 
do you have enough memory on the server? maybe it's running out of memory...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!