This morning's log review revealed this sshd log entry on one of our
web services hosts:
Received disconnect:
11: disconnected by user : 2 Time(s)
3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 :
1 Time(s)
The IP address used is that of a public facing database query page for
our freight transit information. It is itself a virtual IP address
hosted on the system reporting the error. In other words, if this
were a legitimate connection then the situation would be that of an
ssh client connecting to an sshd server running on the same host
albeit each using a different IP address. In other words, the
hostkeys would be identical.
It seems to me that someone attempted an ssh connection while spoofing
our internal address. Is such a thing even possible? If so then how
does it work?
What is com.jcraft.jsch?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3