From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 15:38:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23C9116A4CE for ; Mon, 18 Oct 2004 15:38:39 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id A950E43D3F for ; Mon, 18 Oct 2004 15:38:38 +0000 (GMT) (envelope-from john.destefano@gmail.com) Received: by mproxy.gmail.com with SMTP id 79so189101rnk for ; Mon, 18 Oct 2004 08:38:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=IGbhQUrFZBaFtfl97JHW9CvFro/KgTf9GtHRka0WYRO3m63NF1Po8oS0VYmYvL5yZZadaFfyDgbNUgXPN5UIcb1ay8wvB7m8Fny20UDTOvyV7kIbT+GaRfQma9xzeXFwMzBeN7FXsYmJshEYesqKCh3UCNAURXjICEIeUek1vdQ Received: by 10.38.77.58 with SMTP id z58mr1017541rna; Mon, 18 Oct 2004 08:38:38 -0700 (PDT) Received: by 10.38.99.34 with HTTP; Mon, 18 Oct 2004 08:38:38 -0700 (PDT) Message-ID: Date: Mon, 18 Oct 2004 11:38:38 -0400 From: John DeStefano To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: ssh, daemon, and system errors X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: John DeStefano List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 15:38:39 -0000 Greetings FBSD-Q listers, Some may recall that I (and a few other folks) reported a massive outburst of ssh connection hammerings on my FBSD 5.0-RELEASE machine a few months ago. The conection attempts are still occurring, usually about 5-10 attempts per day, but occassionally I get a log of someone from a single IP address hammering 50-100 times, and trying to use such accounts as nobody, www, operator, and ftp. There is no record of success by any of these attempts, but I am aware that a well-educated intruder could easily have erased their tracks. Responses from the list included checking 'last' (mine was clean) and using "PermitRootLogin no" in sshd_config. I'm sure more suggestions would include invoking a jalied environment, but I've got no experience in this aside from RTFM. I still don't feel comfortable that this machine, won't be broken into, if it hasn't been already, so I'm open to suggestions on how to tighten things up. In addition to this, I'm beginning to experience some other problems on the machine--maybe related, maybe not, but it seems an odd coincidence that this stuff would begin to break now after about 2 years of near-flawless server performance. Many of these could surely be network-related, but I'm not seeing network problems with other client machines on this network: cvsup still works perfectly; I run it once a week via crontab entry to update everything. ddclient (my ISP assigns dynamic IP addresses) worked fine until about a week ago; since then, I get sporatic socket errors about bad host names and not being able to connect. sshd has always been rock solid until the last few days. Since then, I'm getting timeouts when trying to connect (remotely and from the local network), no matter if I try to connect via a hostaname, domain name, or IP address, but not _all_ of the time. It seems like I can connect about 1/3 of the time, but even then my sessions time out when I'm idle for a very short time, or sometimes while I'm actually typing (which is in fact what happened to me just now). httpd performance has been just as sporatic as sshd, which is a very bad thing. I haven't changed my httpd.config in a year. bind has never worked properly, but I am certain that issue is related only to my inexperience. samba has been screwy. I run a local script to connect to mount_smbfs shares on the network and offer shared directories on this machine. Lately, the shares either don't get connected, or show up in my daily logs as being connected twice. I don't run an ftp on this machine, and that's just about every network daemon I run that can think of (without being able to connect to the machine to check). Finally, I've not been able to update the source on this machine; I keep getting 'error code 1' exit messages, and although I am able to update the index with 'make fetchindex', 'make index' thereafter gives a similar error. I realize none of these are addressible directly without more information and evidence. I wanted to get opinions first before flooding the list with log and config data, but I would be glad to provide the contents of any files, or any other info, on request. This machine has never been this screwed up, so I'm thinking of trying a reinstall or upgrade, but I didn't take good notes while setting this thing up a while ago and I'm nervous about losing settings, or even worse, data. I'm also worried that I won't be able to get everything back up and running the way it was. But I suppose the alternative is to leave it as-is, and that's not working very well. Looking forward to your thoughts. Thanks, ~John