virusbook.cn and other suspicious entry in pveproxy access log

B

BlueMoon

New Member
May 29, 2016
13
0
1
46
My /var/log/pveproxy/access.log contain this:

45.249.246.220 - - [09/Jul/2016:13:34:46 +0700] "GET http://www.virusbook.cn/proxyverifytest/http/2016-07-09-14:34:46/xxx.xxx.xxx.xxx/3128 HTTP/1.1" 501 -
204.152.218.49 - - [09/Jul/2016:16:01:40 +0700] "GET http://www.proxylists.net/proxyjudge.php HTTP/1.1" 501 -
91.236.75.4 - - [10/Jul/2016:04:04:37 +0700] "GET http://www.google.com/reader/about/ HTTP/1.1" 501 -
80.82.70.24 - - [10/Jul/2016:06:19:45 +0700] "GET http://httpheader.net HTTP/1.1" 501 -

What does this mean actually? virusbook.cn and proxylists.net seems suspicious!

And also, how to disable pveproxy access log? Will disable this log fasten the system?

Thanks.
 
Someone tries to access your server, but all request was rejected. In general, it is a good idea to protect access from outside using a firewall.
 
1. I am not sure what "virusbook.cn and proxylists.net" are and I dont want to know. Seems suspicious to me...
2. is your Proxmox node not behind a firewall? If not, what are you waiting for?
3. Is your Proxmox node accessible from the internet? If so and there's no need for this (there shouldn't be any IMO) make it impossible to access from internet.

By the sound of it, the PVE node is directly connected to a model and wide open to the internet. Thats not good. Do what Dietmar suggests: install a reputable FW. Once somebody compromises or gains access to PVE, they basically have access to the VM's.

Also why would you disable "pveproxy access log"? It wont make the system faster. Plus, this is one way of telling if someone accessed your PVE node. Why would you basically deactivate the only way you currently have of detecting a suspicious access? I dont get it...
 
lpallard said:
1. I am not sure what "virusbook.cn and proxylists.net" are and I dont want to know. Seems suspicious to me...
2. is your Proxmox node not behind a firewall? If not, what are you waiting for?
3. Is your Proxmox node accessible from the internet? If so and there's no need for this (there shouldn't be any IMO) make it impossible to access from internet.

By the sound of it, the PVE node is directly connected to a model and wide open to the internet. Thats not good. Do what Dietmar suggests: install a reputable FW. Once somebody compromises or gains access to PVE, they basically have access to the VM's.

Also why would you disable "pveproxy access log"? It wont make the system faster. Plus, this is one way of telling if someone accessed your PVE node. Why would you basically deactivate the only way you currently have of detecting a suspicious access? I dont get it...
Click to expand...

1. Me too :p

2. Not behind any firewall. I'm not sure, i've tried few times but no luck for the proxmox built-in firewall, while "external" one seems not working good. Can I just disable the promox's firewall and use CSF instead?

3. Yes, the nodes are accessable through internet. I have 3 machines (2 nodes and 1 quorum) By this, I mean all of them (3 machines) has 8006 port opened through internet. Bad ideas? Should I only allow one of them accessible through internet? I think I cant deny all of them since sometime I need to access the GUI while the internal network's machines has no browser.

I want to disable access.log for pveproxy because on particular day, I see the log file size is up to 1MB. Shouldn't disable this will fasten the machine because it dont need to write to harddrive that often?

Thanks!
 
mir said:
You should not allow anyone to be accessible from the internet. Period.
Click to expand...

Then how I can I manage the proxmox from GUI when needed?
My desktop side, I have no static IP so I can't whitelist my own IP and blacklist others.
From the server side, there is no GUI browser. Or can I have GUI web browser on linux server that has no X installed?

Thanks!
 
BlueMoon said:
Then how I can I manage the proxmox from GUI when needed?
My desktop side, I have no static IP so I can't whitelist my own IP and blacklist others.
Click to expand...

There are several options:
  • Activate the GUI via SSH when you need it and deactivate it afterwards (not so good)
  • Use VPN to create a secure connection and only allow connection from secured channels
  • Use port knocking to open your IP in the firewall
  • Proxy your Proxmox through a "real" webserver and
    • enable username/password (simple htaccess-stuff but an additional layer)
    • client certificates for best security.
 
  • Like
Reactions: BlueMoon
LnxBil said:
There are several options:
  • Activate the GUI via SSH when you need it and deactivate it afterwards (not so good)
  • Use VPN to create a secure connection and only allow connection from secured channels
  • Use port knocking to open your IP in the firewall
  • Proxy your Proxmox through a "real" webserver and
    • enable username/password (simple htaccess-stuff but an additional layer)
    • client certificates for best security.
Click to expand...

Thanks a lot, LnxBil. You help a lot. I will try to use one of these options.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back