I'm trying to figure out if my devices are being hacked or if I'm just misinterpreting my logs. I have several web-facing servers like Immich and Glances, and I use Virtualmin for hosting websites. Everything is set up behind Traefik and mostly runs via Docker. Recently, I've noticed some log entries showing requests from an IP in my Docker internal network (192.168.57.1) to my Traefik server, specifically targeting port 10000 on my Virtualmin setup. My concern is that there doesn't seem to be a physical device corresponding to that IP, so I'm wondering if it's just Docker networking at play or if there's a potential intrusion. How can I determine whether this activity is normal or if something suspicious is happening?
5 Answers
What you're seeing seems to be a bad request directed at Traefik. Since it’s a GET request for `/`, and if you don’t have a route for it, it’s completely understandable. It’s probably just bots or some random scripts trying to connect, nothing to worry about.
Is your Virtualmin or Webmin at the helm of listening on port 10000? They’re both known to use that port. There might be a chance that there's an unresolved TLD on the server causing repeated requests.
From what I can see, it looks like that IP might be a virtual router for your Docker network. It's not unusual to see traffic like this if everything is properly isolated but check to confirm its role.
It sounds like that could be the Docker bridge doing its thing. Try running `ip addr | grep 192.168.57.1` to get more details, or inspect all your containers to see what's active on that network.
Check your setup for any defined health checks. Sometimes, the Docker host will send requests to the web server it's hosting to verify that everything's up and running, which could explain the traffic you're seeing.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures