This morning's log review revealed this sshd log entry on one of our web services hosts:
Received disconnect: 11: disconnected by user : 2 Time(s) 3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 : 1 Time(s)
The IP address used is that of a public facing database query page for our freight transit information. It is itself a virtual IP address hosted on the system reporting the error. In other words, if this were a legitimate connection then the situation would be that of an ssh client connecting to an sshd server running on the same host albeit each using a different IP address. In other words, the hostkeys would be identical.
It seems to me that someone attempted an ssh connection while spoofing our internal address. Is such a thing even possible? If so then how does it work?
What is com.jcraft.jsch?
well. sounds like some automatic deploytment tool? error ip ip address or other configuration failure?
http://stackoverflow.com/questions/6356212/ant-scp-task-failure
-- Eero
2015-09-21 11:29 GMT+03:00 James B. Byrne byrnejb@harte-lyne.ca:
This morning's log review revealed this sshd log entry on one of our web services hosts:
Received disconnect: 11: disconnected by user : 2 Time(s) 3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 : 1 Time(s)
The IP address used is that of a public facing database query page for our freight transit information. It is itself a virtual IP address hosted on the system reporting the error. In other words, if this were a legitimate connection then the situation would be that of an ssh client connecting to an sshd server running on the same host albeit each using a different IP address. In other words, the hostkeys would be identical.
It seems to me that someone attempted an ssh connection while spoofing our internal address. Is such a thing even possible? If so then how does it work?
What is com.jcraft.jsch?
-- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
In other words, the hostkeys would be identical.
I think what the error indicates is that a client tried to connect to SSH, and the host key there did not match the fingerprint in the client's "known_hosts" database.
It seems to me that someone attempted an ssh connection while spoofing our internal address. Is such a thing even possible? If so then how does it work?
In the situation as you've described it, probably not.
It would be best to go to your logs themselves for the full log entry and context, rather than relying on a report that summarizes log entries.
Gordon Messmer wrote:
In other words, the hostkeys would be identical.
I think what the error indicates is that a client tried to connect to SSH, and the host key there did not match the fingerprint in the client's "known_hosts" database.
It seems to me that someone attempted an ssh connection while spoofing our internal address. Is such a thing even possible? If so then how does it work?
In the situation as you've described it, probably not.
It would be best to go to your logs themselves for the full log entry and context, rather than relying on a report that summarizes log entries.
Looks like someone trying to break in. You *are* running fail2ban, are you not? If not, you need to install and fire it up, now.
I see a *lot* of this... but then, I work for a US gov't federal contractor (civilian sector), and let me assure you, I get tired of all the attempts from China, Brazil, and other places trying to ssh in - it really clutters my logfiles.
mark