Bug Report: False "Failed Login Attempts" Warning in ProxMenux Monitor

[carldx]

Description:
The ProxMenux Monitor dashboard is showing a high number of failed login attempts (e.g., 6000+ in 24h), even though there are no actual failed login events on the system.

What I observed:

The dashboard displays a warning about failed login attempts.
However, checking the Proxmox logs shows no failed authentication attempts.

Verification steps:
I checked the Proxmox access logs with the following command:

sudo grep "POST /api2/json/access/ticket" /var/log/pveproxy/access.log | grep -E "401|403"

Result:

0 matches found

This confirms there are no failed login attempts recorded.

Environment:

Proxmox VE (latest version)
ProxMenux Monitor (Stable and Beta tested)
Installed via official script

Additional notes:

The issue appeared after reinstalling ProxMenux.
The warning persists even after a clean reinstall and system reboot.
No external exposure (internal network only).
Logs show normal API activity (HTTP 200 responses only).

Impact:
This creates a misleading security warning in the dashboard, which can cause confusion and unnecessary troubleshooting.

Expected behavior:
The dashboard should accurately reflect failed login attempts based on actual log data.

Actual behavior:
The dashboard reports a large number of failed login attempts that do not exist in the logs.

Possible cause:
It may be incorrectly parsing logs or counting non-authentication requests as failed logins.

Let me know if you need additional logs or testing from my side.

[MacRimi]

Thanks for reporting this and for sharing the details.

ProxMenux analyzes system logs using journalctl, not just the Proxmox API logs (such as /var/log/pveproxy/access.log). This means it can detect failed authentication attempts from all system services, including SSH, the Proxmox Web UI, PAM, and others.

How to verify the source of these attempts:

View failed authentication attempts from the last 24 hours:

journalctl --since '24 hours ago' -g 'authentication failure|failed password|invalid user' | head -100

Get a summary grouped by service:

journalctl --since '24 hours ago' -g 'authentication failure|failed password|invalid user' | grep -oP '(sshd|pvedaemon|pveproxy|systemd-logind)' | sort | uniq -c | sort -rn

See the IP addresses attempting access (SSH-related):

journalctl --since '24 hours ago' -g 'failed password|invalid user' | grep -oP 'from \K[0-9.]+' | sort | uniq -c | sort -rn | head -20

This should help you better understand where these attempts are coming from and which services are being targeted.

[carldx]

Hi @MacRimi,

Thank you so much for your detailed response and for sharing the commands. I really appreciate the time you took to explain this.

Thanks to the first command you suggested:

journalctl --since '24 hours ago' -g 'authentication failure|failed password|invalid user' | head -100

I was able to pinpoint the source of the issue very quickly. This clearly shows that ProxMenux itself wasn’t the cause — it was just accurately reporting the authentication failures across the system.

Please keep up the great work you’re doing! I’m very excited about the upcoming release of ProxMenux 1.0.2 after the beta phase.

Thanks again for your support and for making troubleshooting so much smoother.

Best regards,