[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Warning: Remote Host Identification

> -----Original Message-----
> From: redhat-list-bounces redhat com [mailto:redhat-list-
> bounces redhat com] On Behalf Of Budi Febrianto
> Sent: Tuesday, October 31, 2006 8:01 AM
> To: General Red Hat Linux discussion list
> Subject: WTA: Warning: Remote Host Identification
> Dear All,
> I have 3 linux server, where 1 server (gateway server) the ssh port
> for the public, while the other two is closed, only smtp port is open
> for public.
> This week I manage the servers from mobile with my notebook installed
> opensuse 10.
> First I login to gateway server, then after that I login to the other
> servers.
> But one day, after I successfully loged to the gateway server, and
> trying to login to another server, I have this warning.
>  >>>>>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> b4:10:fb:f9:3d:04:b8:86:44:f7:2e:ba:b7:41:82:7c.
> Please contact your system administrator.
> Add correct host key in /root/.ssh/known_hosts to get rid of this
> Offending key in /root/.ssh/known_hosts:6
> RSA host key for abc.xyz.com has changed and you have requested strict
> checking.
> Host key verification failed.
>  >>>>>
> This mean that my gateway server is under attack, or my others server
> under attack?
> While remote, the connection is bad, I had several drops connections.
> Can this cause of the problem?
> The others server are smtp server, an only open smtp port for public.
> Best Regards

This means that the SSH server key which is kept on the server in one of
the SSH configuration files has changed since the last time you accessed
that server via SSH - i.e. somebody reinstalled SSH on the server or
regenerated its key. It is hard to imagine the hacker who will change
the server key on the hacked computer because this will lead to faster
detection of attack.

In the other case it may be possible that you are actually connected not
to the server you expected to connect to. It means that the host name
abc.xyz.com is no longer point to the same computer as at the last time
you accessed it. This may be due to changes in DNS or routing
configuration. Generally, you should not enter your password to login
into the server until you are absolutely sure that the changes which
lead to connecting to the other computer instead of expected one are
legitimate and not caused by hacked DNS or routing tables. If you are
redirected to another computer as a result of a hacker's attack and
enter the SSH password it could be retained by the hacker and later used
by him to login into your server.

Alexey B. Fadyushin
Brainbench MVP for Linux

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]