From owner-freebsd-questions@FreeBSD.ORG Sat Apr 28 18:44:40 2007 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C3F9816A402 for ; Sat, 28 Apr 2007 18:44:40 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from mxout4.cac.washington.edu (mxout4.cac.washington.edu [140.142.33.19]) by mx1.freebsd.org (Postfix) with ESMTP id 9FE6913C45E for ; Sat, 28 Apr 2007 18:44:40 +0000 (UTC) (envelope-from youshi10@u.washington.edu) Received: from smtp.washington.edu (smtp.washington.edu [140.142.33.9] (may be forged)) by mxout4.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW07.03) with ESMTP id l3SIiehN020463 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 28 Apr 2007 11:44:40 -0700 X-Auth-Received: from [192.168.10.45] (c-67-187-164-17.hsd1.ca.comcast.net [67.187.164.17]) (authenticated authid=youshi10) by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW07.03) with ESMTP id l3SIidGU018501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 28 Apr 2007 11:44:39 -0700 Message-ID: <4633961A.4040403@u.washington.edu> Date: Sat, 28 Apr 2007 11:44:42 -0700 From: Garrett Cooper User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: maximo4k References: <1514709144.20070428120955@gmail.com> In-Reply-To: <1514709144.20070428120955@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-PMX-Version: 5.3.1.294258, Antispam-Engine: 2.5.1.298604, Antispam-Data: 2007.4.28.112634 X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0' Cc: freebsd-questions@FreeBSD.org Subject: Re: Need your help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2007 18:44:40 -0000 maximo4k wrote: > Hello freebsd-questions, > > From: Maksym Kuvyklin > > Subject: I have suspicion that somebody use my server like zombie server. > > Environment:FreeBSD mail.ukremb.com 5.5-RELEASE FreeBSD 5.5-RELEASE > #6: Mon Apr 23 14:41:21 EDT 2007 > root@mail.ukremb.com:/usr/obj/usr/src/sys/MYKERNEL i386 > > Description: > Sorry for my pure English. I am new in this community. > I had detected that somebody tryed to penetrate via ssh into my server. > When I had changed the port all this attempts were finished. Then server notified > me about that somebody use my IP address and after that my network adapter had down. > I had changed it to another one and the server had started work again. I have static IP address. > But, now my connection is very slow. I have looked throught the logs and I had not > found any tracks of penetration. Please, help me to solve this problem. What I'd do is determine from another machine if there's another machine trying to spoof your IP, and thus trying to do a man in the middle type of attack, knowingly or unknowingly. Contact your ISP or talk with your network admin and see if you can get the offender kicked off the network IF you are supposed to have a static IP address. If you set the IP address statically yourself and you don't manage your network or you didn't get the AOK from your network managers, you are IP squatting, which isn't a good idea in the first place, and technically you are the one at fault for causing this issue. If not, then you should check your machine for active connections (netstat -a -f inet), and see if there's anything out of the ordinary that you didn't expect to be running on your PC. If you still can't determine anything, check /var/log/auth.log -- this assumes you're running syslog; syslog can be turned on by going to rc.conf, adding SYSLOG_ENABLE="YES" and then running "/etc/rc.d/syslog start". After that, see if there are any users logging in that are unknown to you, or should not be logging in. Good things to think about when administering a system though: 1. Use strong passwords. 2. Turn off unnecessary services. 3. Reduce possible sources of entry into your system (ties into 2.). Cheers and best of luck, -Garrett