Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-21-2005, 12:44 AM   #1
LQ Newbie
Registered: Apr 2004
Location: Tampa, Fl
Distribution: Fedora Core 2 and 3
Posts: 21

Rep: Reputation: 15
Need help finding if I have been APR-poisioned

It started when I tried to connect to one of my linux machines, I'll call FOO, using ssh from another linux box I'll call BAR, when I got an error that there was a problem with the key and that there may be a everdropper. I'm sorry I don't remember the exact message, but I wasn't allowed to log in. So, I try again and then I was allowed to log in. That even got me wondering if I didn't have a ARP-spoofing going on since I have a wireless network and my linux box is connected via wireless.

I used echolot on BAR and got a message that FOO had a different mac address. So I used arp -a on FOO. I get a mac address for my wireless router that is correct, however when I type ifconfig, the mac address of the accesspoint is different. Have I been spoofed and how do I know?

Any suggestions, thanks.

Old 09-21-2005, 08:45 AM   #2
LQ Newbie
Registered: Jul 2004
Location: Manchester UK
Posts: 21

Rep: Reputation: 15

ArpStar and xarp are countermeasures to ARP poisoning attacks, hope this helps

Slim Pikins
Old 09-21-2005, 09:18 AM   #3
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 472

Rep: Reputation: 30
I would suggest using arpwatch....
The message from ssh doesn't mean that someone uses your real MAC. It appears if you reinstall the OS, if the ip changes etc..
Old 09-21-2005, 08:02 PM   #4
LQ Newbie
Registered: Apr 2004
Location: Tampa, Fl
Distribution: Fedora Core 2 and 3
Posts: 21

Original Poster
Rep: Reputation: 15
Thanks for the info. I thought it may have something to do with a change in the IP address, but when I started finding a different mac address with echolot and apr I got concerned.

thanks again,
Old 09-21-2005, 08:03 PM   #5
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
If possible, use static IP addresses so you may use static ARP tables.
Also, block ICMP redirects in all machines so no routing tricks that lead to man-in-the-middle may be done.

Old 09-25-2005, 01:01 PM   #6
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
ssh host keys

As far as the ssh complaints are concerned, if you want to be really secure, transfer or verify any new host keys (due to benign changes) by physical or other secure medium.

These host keys are in /etc/ssh*.pub on the ssh server. You can examine them with:
awk '{print FILENAME "\t" $1 "\t" $2}' \
     /etc/ssh/*.pub | less -S~#32
The matching files on the client are $HOME/.ssh/known_hosts and /etc/ssh/ssh_known_hosts. You can examine them with:
awk '{printf "%-32s %-8s %s\n",$1,$2,$3}' \
       $HOME/.ssh/known_hosts | less -S~#40

awk '{printf "%-32s %-8s %s\n",$1,$2,$3}' \
     /etc/ssh/ssh_known_hosts | less -S~#40
At the moment, I only verify changes; but in theory the following man pages:
  • ssh
  • sshd
  • ssh-keygen
contain enough information to figure out how to extract host keys from an ssh server & transfer them to a client.

Last edited by archtoad6; 09-25-2005 at 01:06 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache - error: external APR GT_Onizuka Linux - Software 0 12-02-2005 04:32 AM
apache 2.x enable APR or not ? adrianmak Linux - Software 0 08-18-2005 07:49 AM
apr-mod apache2 Skaan Debian 2 05-27-2005 05:29 AM
LQ security report - Apr 22th 2004 unSpawn Linux - Security 3 04-22-2004 02:33 PM
rh8.0 apr-get update errors pk21 Linux - Software 3 12-23-2002 07:34 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:16 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration