Date: Sat, 28 Apr 2007 11:44:42 -0700 From: Garrett Cooper <youshi10@u.washington.edu> To: maximo4k <maximo4k@gmail.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: Need your help Message-ID: <4633961A.4040403@u.washington.edu> In-Reply-To: <1514709144.20070428120955@gmail.com> References: <1514709144.20070428120955@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
maximo4k wrote: > Hello freebsd-questions, > > From: Maksym Kuvyklin<maximo4k@gmail.com> > > Subject: I have suspicion that somebody use my server like zombie server. > > Environment:FreeBSD mail.ukremb.com 5.5-RELEASE FreeBSD 5.5-RELEASE > #6: Mon Apr 23 14:41:21 EDT 2007 > root@mail.ukremb.com:/usr/obj/usr/src/sys/MYKERNEL i386 > > Description: > Sorry for my pure English. I am new in this community. > I had detected that somebody tryed to penetrate via ssh into my server. > When I had changed the port all this attempts were finished. Then server notified > me about that somebody use my IP address and after that my network adapter had down. > I had changed it to another one and the server had started work again. I have static IP address. > But, now my connection is very slow. I have looked throught the logs and I had not > found any tracks of penetration. Please, help me to solve this problem. What I'd do is determine from another machine if there's another machine trying to spoof your IP, and thus trying to do a man in the middle type of attack, knowingly or unknowingly. Contact your ISP or talk with your network admin and see if you can get the offender kicked off the network IF you are supposed to have a static IP address. If you set the IP address statically yourself and you don't manage your network or you didn't get the AOK from your network managers, you are IP squatting, which isn't a good idea in the first place, and technically you are the one at fault for causing this issue. If not, then you should check your machine for active connections (netstat -a -f inet), and see if there's anything out of the ordinary that you didn't expect to be running on your PC. If you still can't determine anything, check /var/log/auth.log -- this assumes you're running syslog; syslog can be turned on by going to rc.conf, adding SYSLOG_ENABLE="YES" and then running "/etc/rc.d/syslog start". After that, see if there are any users logging in that are unknown to you, or should not be logging in. Good things to think about when administering a system though: 1. Use strong passwords. 2. Turn off unnecessary services. 3. Reduce possible sources of entry into your system (ties into 2.). Cheers and best of luck, -Garrett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4633961A.4040403>