This morning's log review revealed this sshd log entry on one of our web services hosts:
Received disconnect: 11: disconnected by user : 2 Time(s) 3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 : 1 Time(s)
The IP address used is that of a public facing database query page for our freight transit information. It is itself a virtual IP address hosted on the system reporting the error. In other words, if this were a legitimate connection then the situation would be that of an ssh client connecting to an sshd server running on the same host albeit each using a different IP address. In other words, the hostkeys would be identical.
It seems to me that someone attempted an ssh connection while spoofing our internal address. Is such a thing even possible? If so then how does it work?
What is com.jcraft.jsch?