|
Need help finding if I have been APR-poisioned
It started when I tried to connect to one of my linux machines, I'll call FOO, using ssh from another linux box I'll call BAR, when I got an error that there was a problem with the key and that there may be a everdropper. I'm sorry I don't remember the exact message, but I wasn't allowed to log in. So, I try again and then I was allowed to log in. That even got me wondering if I didn't have a ARP-spoofing going on since I have a wireless network and my linux box is connected via wireless.
I used echolot on BAR and got a message that FOO had a different mac address. So I used arp -a on FOO. I get a mac address for my wireless router that is correct, however when I type ifconfig, the mac address of the accesspoint is different. Have I been spoofed and how do I know? Any suggestions, thanks. Milton |
Hi
ArpStar and xarp are countermeasures to ARP poisoning attacks, hope this helps Slim Pikins |
I would suggest using arpwatch....
The message from ssh doesn't mean that someone uses your real MAC. It appears if you reinstall the OS, if the ip changes etc.. |
Thanks for the info. I thought it may have something to do with a change in the IP address, but when I started finding a different mac address with echolot and apr I got concerned.
thanks again, Milton |
If possible, use static IP addresses so you may use static ARP tables.
Also, block ICMP redirects in all machines so no routing tricks that lead to man-in-the-middle may be done. Check http://seclists.org/lists/bugtraq/1997/Sep/0057.html |
ssh host keys
As far as the ssh complaints are concerned, if you want to be really secure, transfer or verify any new host keys (due to benign changes) by physical or other secure medium.
These host keys are in /etc/ssh*.pub on the ssh server. You can examine them with: Code:
awk '{print FILENAME "\t" $1 "\t" $2}' \Code:
awk '{printf "%-32s %-8s %s\n",$1,$2,$3}' \
|
| All times are GMT -5. The time now is 02:42 PM. |