On Fri, 6 Dec 2019 at 13:00, Martijn Koster mak-alug@greenhills.co.uk wrote:
Is it changing IP addresses itself (behind a load balancer, or muti-valued dns records, or does it get its IP via DHCP and got a different one, or is some other misconfigured remote system claiming your IP address, or whatever)?
Static IP (hosted VPS at DigitalOcean).
Is the machine doing unattended updates that may have re-generated the key?
Not that I'm aware of.
Is the machine regenerating the key from some cloud-init mechanism which has an issue that causes it to regenerate the key when it shouldn’t?
Not that I'm aware of.
Have a look at "ls -l /etc/ssh/*” to see what got changed when, and dig through the system logs from that time, and compare against the last boot time.
That was my first thought and nothing has changed recently (I connect at least once a month, usually more; the newest file was Feb this year.
I only have a week's worth of syslog and it only has two references to ssh ("systemd[xxx]: Listening on GnuPG cryptographic agent (ssh-agent emulation)." from the twice I've connected today.)
The host key checking is designed to alert you to MITM attacks, which would be anywhere between you or your network. Are you connecting from your usual place where it worked before?
Yes
Try connecting from elsewhere (some remote machine on some other network) to exclude some of those intercept possibilities.
I just tried from home, and that works fine. But that could be that any cached key has been added more recently (it's a fairly new laptop) so I'm not sure what that really tells me?
I have SSH'd to several other servers (also DigitalOcean) without any key issues, so if there's a MITM attack going on it's targeted at that one server (a Wordpress server so it's probably one of the most "visible" of the servers I have much to do with).
On the host, check for signs of a compromise: miners or other malware running, unexpected files, unexpected logins, unexpected outbound connections, unexpected content being served from your web server etc.
I'm not really sure what to look for. The Wordpress code has Wordfence installed which is pretty good at finding unexpected changes in the site's code, and I ran a scan on that this morning without finding anything. "last" (looking at /var/log/wtmp) only has stuff from today, wtmp.1 from November 8th (quite possibly the last time I logged in). "lastb" has a nice long list of failed attempts for various users but I'm not sure I can draw much from that.
last does show my office IP as the source of the last login but would a MITM attack mask that?
If you have console access, you might use that rather in reference to ssh
Hmm, good point, until you said that I'd forgotten I do have console access.