Re: DNS, Man-in-the-middle??

Mon, 11 Aug 2003 11:41:40 -0700 

On Wed, 06 Aug 2003, Stephen Pedrosa Eilert wrote:


> I has troubleshooting a network problem in some of my computers(will be
> called Elderbrain in the remainder of this message) Apparently, it wasn't
> receiving any information from my home server(DHCP, DNS cache, NAT,
> Firewall, called Speaker).  So, I configured the interface manually, using
> my ISP's DNS server and tried to SSH to Speaker. To my surprise, the
> following message appeared:
> 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> The RSA host key for speaker has changed,
> and the key for the according IP address 204.91.156.55
> is unknown. This could either mean that
> DNS SPOOFING is happening or the IP address for the host
> and its host key have changed at the same time.
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle
> attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> b7:40:14:87:ab:13:fe:9c:90:1f:d3:11:43:dd:59:50.
> Please contact your system administrator.
> Add correct host key in /root/.ssh/known_hosts to get rid of this message.

> 
> But how can I be sure? I want to be 100% sure if I am to contact them.
> 

Is your question "How can you be sure an MITM attack is taking place?"

Go home - put a copy of elderbrain's RSA host key on a floppy, take it to work
and put it in known_hosts in *your* home directory on your computer.

(Also write down the fingerprint as displayed on speakers console.)

Stop working as root :-)

If you still get the warning there is an MITM !

Hope my crude summary helps.


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Reply via email to