4
I just did a 'netstat -a' on my FreeBSD machine. I discovered the following:
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 40 turban.ssh host90.embarqser.60230 ESTABLISHED
tcp4 0 0 turban.ssh host90.embarqser.59985 LAST_ACK
tcp4 0 0 turban.ssh host90.embarqser.47224 TIME_WAIT
tcp4 0 0 turban.ssh host90.embarqser.9304 LAST_ACK
Could there be someone intruding my machine? My hostname is 'turban' as you can see. I'm really 'new' about system security. Could someone enlighten me?
From /var/log/auth.log
, a lot of errors like:
May 4 20:07:10 turban sshd[47801]: Failed keyboard-interactive/pam for invalid user backup from 76.7.43.90 port 11831 ssh2
May 4 20:07:13 turban sshd[47804]: error: PAM: authentication error for bin from 76.7.43.90...
a
netstat -an
is better, gives IP addresses instead of names. – nik – 2011-05-04T12:30:40.383Hi i did a netstat -an as you suggested. This is what I found out. http://dawhois.com/traceroute/?query=76.7.43.90 host90.embarqservices.net is connecting to my machine! This is an IP from USA. Really weird!
– will – 2011-05-04T12:34:38.900It's hard to know whether you have a problem from the information posted. Did you connect to anyone through ssh? Are you running a sshd? Do you allow anyone to connect from outside? What is the output of last (1)? What is the out put of w (1)? What processes are revealed by (for instance) "ps aux"? – CarlF – 2011-05-04T12:36:12.283
last and w yield IPs which I can recognize. Probably someone is trying to log in my machine. – will – 2011-05-04T12:43:38.783
Not exactly what you're looking for, but perhaps still a good read: http://superuser.com/questions/244214/what-are-possible-security-issues-with-an-ssh-daemon/244234#244234
– BloodPhilia – 2011-05-04T17:12:50.607