thagrol wrote: ↑
Thu Feb 09, 2023 12:58 pm
hortimech wrote: ↑
Thu Feb 09, 2023 10:04 am
RottenRonnie wrote: ↑
Wed Feb 08, 2023 3:13 pm
I don't believe I have. I'm sitting at the office accessing headless via ssh at the moment.
Could that mean that you are in place 'A' and the pi is in place 'B' and you are connecting via the internet rather than a lan ?
If that is the case, you could have been hacked.
Especially if the OP has exposed ssh to the internet while using the (old) default username and password.
Guilty of using the pi user, but I changed the password to a complex one, use fail2ban and other limits in sshd_config such as AllowUsers and PAM = no, with ed25519 key exchange on a non standard port. /var/log/auth.log shows only accesses from two recognized external IPs. I would like to rule out hacked.
Is there a method for tracking down what started the process? To investigate the process itself?
The samba log config is bit of a rum go, as it logs by ip by default, and only a couple logs have content there. I tried setting it to log by share yesterday, but I don't think I succeeded and will revert the changes to the smb.conf.
Code: Select all
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# log file = /var/log/samba/%S.log