I have just received:
Warning: the ECDSA host key for '...' differs from the key for the
IP address '...'
.. when trying to SSH to a web server I manage.
I expect these kind of warnings if I've changed IPs, or reinstalled
SSH, or reinstalled the OS, but I'm not aware of having done anything
that could provoke this warning.
Is it changing IP addresses itself (behind a load balancer, or muti-valued dns records, or does it get its IP via DHCP and got a different one, or is some other misconfigured remote system claiming your IP address, or whatever)?
Is the machine doing unattended updates that may have re-generated the key?
Is the machine regenerating the key from some cloud-init mechanism which has an issue that causes it to regenerate the key when it shouldn’t?
Have a look at "ls -l /etc/ssh/*” to see what got changed when, and dig through the system logs from that time, and compare against the last boot time.
Googling just gives me endless ways to fix the problem by removing the
cached key, but I'm finding precious little advice on what to do if
the warning has no obvious cause.
Suggestions?
The host key checking is designed to alert you to MITM attacks, which would be anywhere between you or your network.
Are you connecting from your usual place where it worked before?
Try connecting from elsewhere (some remote machine on some other network) to exclude some of those intercept possibilities.
On the host, check for signs of a compromise: miners or other malware running, unexpected files, unexpected logins, unexpected outbound connections, unexpected content being served from your web server etc.
If you have console access, you might use that rather in reference to ssh
— Martijn