Hi there,
something weird is happening to my cluster since about 10 days or so. I have connections during the night of about 15 mins each which are targetting the only windows 2022 server VM.
I had an exposed Softether VPN server and Rustdesk server based on ubuntu minimal 22.04 as VMs into the cluster (bad practice i know, i have already moved these 2 VM on 2 different phisycal machines on a different network behind ngnix reverse proxy paired with crowdsec and fail2ban, then on each VM there is crowdsec installed with its firewall bouncer).
On the first days of may, SRV2 got rebooted at 5:00 in the morning about, the VPN Server then became unresponsive and i have found this out only when i went back to the office. When i was trying to reboot the service i noticed something weird, it was looking for IBA (intel boot agent) as boot devices. I never seen this happening before, so by then i started my investigation. Each server (SRV1, SRV2, SRV3, SRV4 and DENG-SRV1) have 2xPCIE intel 225-V NICs with double 2.5GB ports and 2 onboard realtek.
Couple days ago i have formatted everything (5 servers on consumer hw ryzen 5900x + msi b550m tomhawk mobo paired with 128gb ram) changed motherboards nics and drives but tonight it happened again. There were connection to the windows 2022 srv and a cluster node (DENG-SRV1)
My setup is:
- 5x PVE nodes 8.2 in cluster
- 1x PBS as a cluster VM
- 1x TrueNAS Core v13 (separate device)
SRV1 is the cluster boss
The PBS has exclusive access to a NFS share on the TrueNAS for backups
The Win 2022 srv VM is the #114 before the formatting and #108 after the formatting
I will post here couple screenshot about the logs.
Thanks to anyone replying on this!
and then i noticed also this on cluster logs
something weird is happening to my cluster since about 10 days or so. I have connections during the night of about 15 mins each which are targetting the only windows 2022 server VM.
I had an exposed Softether VPN server and Rustdesk server based on ubuntu minimal 22.04 as VMs into the cluster (bad practice i know, i have already moved these 2 VM on 2 different phisycal machines on a different network behind ngnix reverse proxy paired with crowdsec and fail2ban, then on each VM there is crowdsec installed with its firewall bouncer).
On the first days of may, SRV2 got rebooted at 5:00 in the morning about, the VPN Server then became unresponsive and i have found this out only when i went back to the office. When i was trying to reboot the service i noticed something weird, it was looking for IBA (intel boot agent) as boot devices. I never seen this happening before, so by then i started my investigation. Each server (SRV1, SRV2, SRV3, SRV4 and DENG-SRV1) have 2xPCIE intel 225-V NICs with double 2.5GB ports and 2 onboard realtek.
Couple days ago i have formatted everything (5 servers on consumer hw ryzen 5900x + msi b550m tomhawk mobo paired with 128gb ram) changed motherboards nics and drives but tonight it happened again. There were connection to the windows 2022 srv and a cluster node (DENG-SRV1)
My setup is:
- 5x PVE nodes 8.2 in cluster
- 1x PBS as a cluster VM
- 1x TrueNAS Core v13 (separate device)
SRV1 is the cluster boss
The PBS has exclusive access to a NFS share on the TrueNAS for backups
The Win 2022 srv VM is the #114 before the formatting and #108 after the formatting
I will post here couple screenshot about the logs.
Thanks to anyone replying on this!
and then i noticed also this on cluster logs
Last edited: