Re: Need your help

Sat, 28 Apr 2007 11:44:58 -0700 

maximo4k wrote:

Hello freebsd-questions,

From: Maksym Kuvyklin<[EMAIL PROTECTED]>

Subject: I have suspicion that somebody use my server like zombie server.

Environment:FreeBSD  mail.ukremb.com  5.5-RELEASE  FreeBSD 5.5-RELEASE
#6:        Mon        Apr       23       14:41:21       EDT       2007
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL i386

Description:
Sorry for my pure English. I am new in this community.
I had detected that somebody tryed to penetrate via ssh into my server.
When I had changed the port all this attempts were finished. Then server 
notified
me about that somebody use my IP address and after that my network adapter had 
down.
I had changed it to another one and the server had started work again. I have 
static IP address.
But, now my connection is very slow. I have looked throught the logs and I had 
not
found any tracks of penetration. Please, help me to solve this problem.
What I'd do is determine from another machine if there's another machine trying to spoof your IP, and thus trying to do a man in the middle type of attack, knowingly or unknowingly. Contact your ISP or talk with your network admin and see if you can get the offender kicked off the network IF you are supposed to have a static IP address. If you set the IP address statically yourself and you don't manage your network or you didn't get the AOK from your network managers, you are IP squatting, which isn't a good idea in the first place, and technically you are the one at fault for causing this issue.
If not, then you should check your machine for active connections (netstat -a -f inet), and see if there's anything out of the ordinary that you didn't expect to be running on your PC.
If you still can't determine anything, check /var/log/auth.log -- this assumes you're running syslog; syslog can be turned on by going to rc.conf, adding SYSLOG_ENABLE="YES" and then running "/etc/rc.d/syslog start". After that, see if there are any users logging in that are unknown to you, or should not be logging in. 

Good things to think about when administering a system though:
1. Use strong passwords.
2. Turn off unnecessary services.
3. Reduce possible sources of entry into your system (ties into 2.).

Cheers and best of luck,

-Garrett
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to