I have docker installed in a vm inside proxmox. I am running a few linuxserver docker containers, all behind swag. Of the few containers installed, I am only actually using nextcloud, syncthing and duckdns, the others are just running but have not done anything with them yet. Everything works.
pfblockerng, a malicious ip and ad blocker running inside pfsense, is blocking multiple and regular outboud swag connections to at least one malicious ip in Russia (this one: 22.214.171.124; on multiple ports); see here: GreyNoise Visualizer. I do not understand why this is happening.
Any ideas on what is going on?
This seems fishy. First of all swag shouldn’t be making outbound connections other than when doing cert renewals at 2am. You might want to start switching containers off and see if that stops the connecting and you may need to check your containers to see if any have been compromised.
Thanks a lot for the quick reply and the advice. I will start switching off containers and see. Could it be any container making the connection through swag? I said it was swag because the outbound connection originates from its ip on port 443, but I guess that would always be the case for all outbound connections since all my containers run behind swag?
Not to my knowledge but then if they’re on the same VM, it will show as the same internal IP/
Any advice on where to start looking into a potentially compromised container?
Usual things, check for files that wouldn’t normally be there, check for processes you don’t recognise and start turning stuff off 1 by 1 to see when it stops sending the requests. If you’ve got SSH exposed to the internet, it could be the VM that’s compromised maybe.
Thanks, I will start looking into that…