Application Deployment - I'm think there's a penetration attack going on

Technical Support
,
1

System Information

Field Value
Operating System Linux - Ubuntu 20.04.6 on x86_64
Product AMP ‘Decadeus’ v2.4.8.0 (Mainline)
Virtualization QEMU_KVM
Application Application Deployment
Module ADSModule
Running in Container No
Current State Indeterminate

Task

I’m think there’s a penetration attack going on

Problem Description

Issue

So everything started some weeks ago, I’ve seen some logins with strange usernames like “admin” and “root”, “system”, etc…

They were just 5-7 times in a day

Now there are hundreds on them each 5 minutes.

The fact is that the login attempts are being made by 127.0.0.1, which is local, what can I do?

In the following picture, there’s a part of the Logs that shows the unauthorized and unrecognized accesses.

image
image1169×777 305 KB

Reproduction Steps

  • Access the panel
  • See the sidebar
  • Clicking on the audit log
2

Yup, this is normal for a service exposed to the Internet. But we can see that AMP is banning IPs by itself. Nothing really to worry about.

If they’re coming from localhost then you’ve got something misconfigured. Are you using a reverse proxy?

3

Piggybacking off what Mike said, if you have a reverse proxy, be sure you follow this guide. Also, if you aren’t using X-Forwarded-For headers, use them.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.