Need your help
youshi10 at u.washington.edu
Sat Apr 28 18:44:40 UTC 2007
> Hello freebsd-questions,
> From: Maksym Kuvyklin<maximo4k at gmail.com>
> Subject: I have suspicion that somebody use my server like zombie server.
> Environment:FreeBSD mail.ukremb.com 5.5-RELEASE FreeBSD 5.5-RELEASE
> #6: Mon Apr 23 14:41:21 EDT 2007
> root at mail.ukremb.com:/usr/obj/usr/src/sys/MYKERNEL i386
> Sorry for my pure English. I am new in this community.
> I had detected that somebody tryed to penetrate via ssh into my server.
> When I had changed the port all this attempts were finished. Then server notified
> me about that somebody use my IP address and after that my network adapter had down.
> I had changed it to another one and the server had started work again. I have static IP address.
> But, now my connection is very slow. I have looked throught the logs and I had not
> found any tracks of penetration. Please, help me to solve this problem.
What I'd do is determine from another machine if there's another machine
trying to spoof your IP, and thus trying to do a man in the middle type
of attack, knowingly or unknowingly. Contact your ISP or talk with your
network admin and see if you can get the offender kicked off the network
IF you are supposed to have a static IP address. If you set the IP
address statically yourself and you don't manage your network or you
didn't get the AOK from your network managers, you are IP squatting,
which isn't a good idea in the first place, and technically you are the
one at fault for causing this issue.
If not, then you should check your machine for active connections
(netstat -a -f inet), and see if there's anything out of the ordinary
that you didn't expect to be running on your PC.
If you still can't determine anything, check /var/log/auth.log -- this
assumes you're running syslog; syslog can be turned on by going to
rc.conf, adding SYSLOG_ENABLE="YES" and then running "/etc/rc.d/syslog
start". After that, see if there are any users logging in that are
unknown to you, or should not be logging in.
Good things to think about when administering a system though:
1. Use strong passwords.
2. Turn off unnecessary services.
3. Reduce possible sources of entry into your system (ties into 2.).
Cheers and best of luck,
More information about the freebsd-questions