zoomzoom
Guru
- Joined
- Sep 6, 2015
- Messages
- 677
I'm not sure when it occurred, but more than likely some point in the past 2 months, an intruder was able to gain access to my server... however I'm not sure which logs should be looked at to verify.
I went to log into the web gui today and it wouldn't accept the root password, and even though I was able to give the command passwd via SSH and change it to something else, it was still refused by the web gui. After a few minutes of repeatedly changing the password via SSH and having it refused by the web gui, I logged in to the server console via IPMI and changed it, which was then accepted by the web gui.
In combination with the above, the reason I'm concerned the server was breached from WAN was because around 2 months ago I was looking at setting up OpenVPN in a jail since I could get far better performance from a vpn installed on the server vs the current setup through my router. I was in the middle of configuring everything and had set up DDNS on the server when something came up for a few days and I completely forget I had enabled DDNS.
I'd like to understand what occurred and was hoping someone could point me in the right direction of what logs to read to determine if a breach did occur and if so, how to track down when it occurred and how many times the system was accessed due to the breach.
I went to log into the web gui today and it wouldn't accept the root password, and even though I was able to give the command passwd via SSH and change it to something else, it was still refused by the web gui. After a few minutes of repeatedly changing the password via SSH and having it refused by the web gui, I logged in to the server console via IPMI and changed it, which was then accepted by the web gui.
In combination with the above, the reason I'm concerned the server was breached from WAN was because around 2 months ago I was looking at setting up OpenVPN in a jail since I could get far better performance from a vpn installed on the server vs the current setup through my router. I was in the middle of configuring everything and had set up DDNS on the server when something came up for a few days and I completely forget I had enabled DDNS.
I'd like to understand what occurred and was hoping someone could point me in the right direction of what logs to read to determine if a breach did occur and if so, how to track down when it occurred and how many times the system was accessed due to the breach.