Hi, I am running Proxmox VE with Crowdsec. Proxmox has a public IP ( XXX.XXX.XXX.18 ), so it is availibale from the internet.
So far, Crowdsec works fine but it seems, that I get some kind of selfreporting.
On my Proxmox VE are running two virtual machines:
1) a Proxmox mail gateway and
2) a Plesk server.
For a few days now, I have listed ssh-bf and ssh-slow-bf scenarios alerts in Crowdsec. They can be assigned to the IP addresses of my mail gateway (XXX.XXX.XXX.30) and my Plesk server (XXX.XXX.XXX.20).
The reported ssh login attempts are definitely not from my side. Any Idea?
I am pretty sure, neither the Proxmox Mailgateway Server and Plesk server are compromised, passwords are safe and both VMs are up to date.
Why do this ssh attemps occur? They come from IP XXX.XXX.XXX.20 (Plesk server) and XXX.XXX.XXX.30 (Proxmox Mail Gateway) to XXX.XXX.XXX.18 (Proxmox VE host).
Is this really an attack or something I could solve by settings?
Proxmox VE syslog shows me for example the following messages regarding to the screenshot (pixeled IPs are Mail Gateway and Plesk VMs):
So far, Crowdsec works fine but it seems, that I get some kind of selfreporting.
On my Proxmox VE are running two virtual machines:
1) a Proxmox mail gateway and
2) a Plesk server.
For a few days now, I have listed ssh-bf and ssh-slow-bf scenarios alerts in Crowdsec. They can be assigned to the IP addresses of my mail gateway (XXX.XXX.XXX.30) and my Plesk server (XXX.XXX.XXX.20).
The reported ssh login attempts are definitely not from my side. Any Idea?
I am pretty sure, neither the Proxmox Mailgateway Server and Plesk server are compromised, passwords are safe and both VMs are up to date.
Why do this ssh attemps occur? They come from IP XXX.XXX.XXX.20 (Plesk server) and XXX.XXX.XXX.30 (Proxmox Mail Gateway) to XXX.XXX.XXX.18 (Proxmox VE host).
Is this really an attack or something I could solve by settings?
Proxmox VE syslog shows me for example the following messages regarding to the screenshot (pixeled IPs are Mail Gateway and Plesk VMs):
Code:
Aug 13 08:22:44 pve sshd[401572]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= XXX.XXX.XXX.30 user=root
Aug 13 08:22:46 pve sshd[401572]: Failed password for root from XXX.XXX.XXX.30 port 60920 ssh2
Aug 13 05:34:04 pve sshd[331177]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.XXX.XXX.20 user=root
Aug 13 05:34:06 pve sshd[331177]: Failed password for root from XXX.XXX.XXX.20 port 37082 ssh2
Aug 13 05:34:08 pve sshd[331177]: Connection closed by authenticating user root XXX.XXX.XXX.20 port 37082 [preauth]
Aug 13 05:34:08 pve sshd[331186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.XXX.XXX.20 user=root
Aug 13 05:34:09 pve sshd[331186]: Failed password for root from XXX.XXX.XXX.20 port 43442 ssh2
Aug 13 05:34:10 pve sshd[331186]: Connection closed by authenticating user root XXX.XXX.XXX.20 port 43442 [preauth]
Aug 13 05:34:10 pve sshd[331190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.XXX.XXX.20 user=root
Aug 13 05:34:12 pve sshd[331190]: Failed password for root from XXX.XXX.XXX.20 port 43446 ssh2
Aug 13 05:34:13 pve sshd[331190]: Connection closed by authenticating user root XXX.XXX.XXX.20 port 43446 [preauth]
Aug 13 05:34:13 pve sshd[331216]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXX.XXX.XXX.20 user=root
Aug 13 05:34:15 pve sshd[331216]: Failed password for root from XXX.XXX.XXX.20 port 43460 ssh2