LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Ssh Compromised!!???help!!! (http://www.linuxquestions.org/questions/linux-security-4/ssh-compromised-help-19674/)

Savedadogs 04-28-2002 04:18 PM

Ssh Compromised!!???help!!!
 
Please someone help me I am a newbie. I had setup the ssh daemon on my RedHat Linux 7.2 server last week. I used openssh. I created the keys and was able to login to my server through my lan:

ssh 192.168.1.05.

Here is what happens now when I try to ssh:

[root@localhost root]# ssh 192.168.1.105
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 192.168.1.105 has changed and you have requested strict checking.
Host key verification failed.


WHAT IS GOING ON??? Has someone compromised my machine. I was also able to ssh from the outside world to my machine last week. I have a dynamic IP. All incoming ssh conenctions (port 22) are forwarded to 192.168.1.105, my linux server. Please HELP!

Savedadogs 04-28-2002 05:37 PM

Can anyone help???

unSpawn 04-28-2002 08:00 PM

This happens sometimes when the host key changed, if so, and you can verify the host *is* the host you're connecting to, open you ~/.ssh/known_hosts and delete the key.

OTOH, from what I've seen (you using RSA instead of DSA) *if* you're using SSH1 with Protocol 1, please verify your installed package and then upgrade to OpenSSH-2 Protocol 2, (don't specify "Protocol 2,1" in sshd_config). SSH1 *is definately* way too old. If you're using OpenSSH2 with Protocol 1, change it to Protocol 2.

Verifying your package is best done tru Aide or Tripwire (if you installed it) can somewhat be done tru rpm, but can be tampered with or corrupted or show false positives ("rpm --verify <installedpackagename>"). As an extra check you can try chkrootkit(.org) which is able to scan binaries for some wellknown rootkit signs. And look tru your sshd's logfiles for weird logins as well, if any.

dovkruger 01-23-2004 03:32 PM

Server address is changing
 
You said it yourself. You have dynamic IP addressing.
That means from the outside world, your machine looks like it is changing IP addresses.
So each time you reach a different one, your ssh client is warning you that the underlying address is changing.

katmai90210 02-03-2004 09:47 AM

rm -rf /etc/.ssh
then log in and all will work just fine

chort 02-03-2004 01:55 PM

Quote:

Originally posted by katmai90210
rm -rf /etc/.ssh
then log in and all will work just fine

You must be joking. Do NOT do this. If you're positive that your connection is not being hijacked, you should edit ~/.ssh/known_hosts like unSpawn said.

By the way, Savedadogs why are you ssh'ing as root? It's really not recommended to perform such tasks as root, since logging into a remote host does not require you to be root locally.

To dovkruger, the outside IP being dynamic has nothing to do with it. He's logging in from the LAN to the internal IP, which hasn't changed.

IIRC, when a host is rebooted it's key may be regenerated (I can't remember for sure), so it's possible that it was changed.

katmai90210 02-03-2004 05:54 PM

lol as i said being too paranoid is waste of time sometimes ... yo speak like we're being in a war in here ... and what should he do ? edit the /etc/.ssh file each time ? c'mon get serious ... i am taking security in serious but .. we got to be realistic sometimes .. doh !

chort 02-03-2004 06:07 PM

Well what good is security if you just ignore all warnings? You might as well use telnet... The warnings are there for good reason.

katmai90210 02-04-2004 08:26 AM

i don't ignore warnings but i am realistic ... no hacker would show interest for data transmitted on a small network ... or very unknown server ... you got to take into consideration all facts ... upgrade the ssh daemon ... see if you still get that warning ... be realistic not paranoid ...

Capt_Caveman 02-04-2004 09:15 AM

That's really naive to think that just because you're on a small network that a cracker wouldn't show interest because you're a "small-fish". The majority of times it's a target of opportunity that attracts a cracker, that's why you see so many automated scans and rooters. Using telnet is a really big mistake especially if you're ever logging in remotely as root. With the prevalence of sniffers today (esp. as part of rootkits) you should avoid protocols that transmit plain-text logins when you have a choice of using an encypted protocol instead. In most cases, that's usually an option.

frieza 02-04-2004 10:25 AM

capt_caveman is right, i've seen a good example of that.... while i was taking an introductory unix class at the local community college, someone rooted the Linux box we used to do all our assignments.... that one was a pain we were all locked out of our accounts by the cracker

katmai90210 02-04-2004 10:28 AM

as i said i don't say to ignore all warnings and stuff .. but each time to hook up on the same problem ... that's paranoidism ... don't use telnet lol :) that 's antique ... but if you checked and double checked the server and there is nothing wrong then u won't do it forever .. hook up only on that ssh key stuff ...

nidputerguy 02-10-2004 01:48 AM

If your network is up 24-7 you need to pay attention. The first thing a real hacker does is find a network like yours that he can use to attack other networks. He covers his tracks on your box. When the FBI comes looking all they find is you. His tracks are erased. Yeh you might want to pay attention to security.


All times are GMT -5. The time now is 03:33 AM.