Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Please someone help me I am a newbie. I had setup the ssh daemon on my RedHat Linux 7.2 server last week. I used openssh. I created the keys and was able to login to my server through my lan:
Here is what happens now when I try to ssh:
[root@localhost root]# ssh 192.168.1.105
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 192.168.1.105 has changed and you have requested strict checking.
Host key verification failed.
WHAT IS GOING ON??? Has someone compromised my machine. I was also able to ssh from the outside world to my machine last week. I have a dynamic IP. All incoming ssh conenctions (port 22) are forwarded to 192.168.1.105, my linux server. Please HELP!
This happens sometimes when the host key changed, if so, and you can verify the host *is* the host you're connecting to, open you ~/.ssh/known_hosts and delete the key.
OTOH, from what I've seen (you using RSA instead of DSA) *if* you're using SSH1 with Protocol 1, please verify your installed package and then upgrade to OpenSSH-2 Protocol 2, (don't specify "Protocol 2,1" in sshd_config). SSH1 *is definately* way too old. If you're using OpenSSH2 with Protocol 1, change it to Protocol 2.
Verifying your package is best done tru Aide or Tripwire (if you installed it) can somewhat be done tru rpm, but can be tampered with or corrupted or show false positives ("rpm --verify <installedpackagename>"). As an extra check you can try chkrootkit(.org) which is able to scan binaries for some wellknown rootkit signs. And look tru your sshd's logfiles for weird logins as well, if any.
You said it yourself. You have dynamic IP addressing.
That means from the outside world, your machine looks like it is changing IP addresses.
So each time you reach a different one, your ssh client is warning you that the underlying address is changing.
lol as i said being too paranoid is waste of time sometimes ... yo speak like we're being in a war in here ... and what should he do ? edit the /etc/.ssh file each time ? c'mon get serious ... i am taking security in serious but .. we got to be realistic sometimes .. doh !
i don't ignore warnings but i am realistic ... no hacker would show interest for data transmitted on a small network ... or very unknown server ... you got to take into consideration all facts ... upgrade the ssh daemon ... see if you still get that warning ... be realistic not paranoid ...
That's really naive to think that just because you're on a small network that a cracker wouldn't show interest because you're a "small-fish". The majority of times it's a target of opportunity that attracts a cracker, that's why you see so many automated scans and rooters. Using telnet is a really big mistake especially if you're ever logging in remotely as root. With the prevalence of sniffers today (esp. as part of rootkits) you should avoid protocols that transmit plain-text logins when you have a choice of using an encypted protocol instead. In most cases, that's usually an option.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
capt_caveman is right, i've seen a good example of that.... while i was taking an introductory unix class at the local community college, someone rooted the Linux box we used to do all our assignments.... that one was a pain we were all locked out of our accounts by the cracker
as i said i don't say to ignore all warnings and stuff .. but each time to hook up on the same problem ... that's paranoidism ... don't use telnet lol that 's antique ... but if you checked and double checked the server and there is nothing wrong then u won't do it forever .. hook up only on that ssh key stuff ...
If your network is up 24-7 you need to pay attention. The first thing a real hacker does is find a network like yours that he can use to attack other networks. He covers his tracks on your box. When the FBI comes looking all they find is you. His tracks are erased. Yeh you might want to pay attention to security.