Gordon Messmer wrote:
>
>> > In other words, the
>> >hostkeys would be identical.
>
> I think what the error indicates is that a client tried to connect to
> SSH, and the host key there did not match the fingerprint in the
> client's "known_hosts" database.
>
>> >It seems to me that someone attempted an ssh connection while spoofing
>> >our internal address. Is such a thing even possible? If so then how
>> >does it work?
>
> In the situation as you've described it, probably not.
>
> It would be best to go to your logs themselves for the full log entry
> and context, rather than relying on a report that summarizes log entries.
Looks like someone trying to break in. You *are* running fail2ban, are you
not? If not, you need to install and fire it up, now.
I see a *lot* of this... but then, I work for a US gov't federal
contractor (civilian sector), and let me assure you, I get tired of all
the attempts from China, Brazil, and other places trying to ssh in - it
really clutters my logfiles.
mark