Warning: Remote Host Identification
A.Fadyushin at it-centre.ru
A.Fadyushin at it-centre.ru
Tue Oct 31 14:31:30 UTC 2006
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Budi Febrianto
> Sent: Tuesday, October 31, 2006 8:01 AM
> To: General Red Hat Linux discussion list
> Subject: WTA: Warning: Remote Host Identification
>
> Dear All,
>
> I have 3 linux server, where 1 server (gateway server) the ssh port
open
> for the public, while the other two is closed, only smtp port is open
> for public.
> This week I manage the servers from mobile with my notebook installed
> opensuse 10.
> First I login to gateway server, then after that I login to the other
> servers.
> But one day, after I successfully loged to the gateway server, and
when
> trying to login to another server, I have this warning.
>
> >>>>>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> b4:10:fb:f9:3d:04:b8:86:44:f7:2e:ba:b7:41:82:7c.
> Please contact your system administrator.
> Add correct host key in /root/.ssh/known_hosts to get rid of this
message.
> Offending key in /root/.ssh/known_hosts:6
> RSA host key for abc.xyz.com has changed and you have requested strict
> checking.
> Host key verification failed.
> >>>>>
>
> This mean that my gateway server is under attack, or my others server
> under attack?
> While remote, the connection is bad, I had several drops connections.
> Can this cause of the problem?
>
> The others server are smtp server, an only open smtp port for public.
>
> Best Regards
This means that the SSH server key which is kept on the server in one of
the SSH configuration files has changed since the last time you accessed
that server via SSH - i.e. somebody reinstalled SSH on the server or
regenerated its key. It is hard to imagine the hacker who will change
the server key on the hacked computer because this will lead to faster
detection of attack.
In the other case it may be possible that you are actually connected not
to the server you expected to connect to. It means that the host name
abc.xyz.com is no longer point to the same computer as at the last time
you accessed it. This may be due to changes in DNS or routing
configuration. Generally, you should not enter your password to login
into the server until you are absolutely sure that the changes which
lead to connecting to the other computer instead of expected one are
legitimate and not caused by hacked DNS or routing tables. If you are
redirected to another computer as a result of a hacker's attack and
enter the SSH password it could be retained by the hacker and later used
by him to login into your server.
Alexey B. Fadyushin
Brainbench MVP for Linux
http://www.brainbench.com
More information about the redhat-list
mailing list