On 6 Dec 2019, at 13:45, Mark Rogers mark@more-solutions.co.uk wrote:
On Fri, 6 Dec 2019 at 13:00, Martijn Koster mak-alug@greenhills.co.uk wrote:
Is it changing IP addresses itself (behind a load balancer, or muti-valued dns records, or does it get its IP via DHCP and got a different one, or is some other misconfigured remote system claiming your IP address, or whatever)?
Static IP (hosted VPS at DigitalOcean).
https://www.digitalocean.com/community/questions/why-my-droples-s-ssh-key-ch... https://www.digitalocean.com/community/questions/why-my-droples-s-ssh-key-changed?comment=58664 Seems to suggest this can happen, though it doesn’t go into great detail why.
Have a look at "ls -l /etc/ssh/*” to see what got changed when, and dig through the system logs from that time, and compare against the last boot time.
That was my first thought and nothing has changed recently (I connect at least once a month, usually more; the newest file was Feb this year.
Hm, that is odd then. If cloud-init regenerated the key, that’s where I’d expect to see it.
Try connecting from elsewhere (some remote machine on some other network) to exclude some of those intercept possibilities.
I just tried from home, and that works fine. But that could be that any cached key has been added more recently (it's a fairly new laptop) so I'm not sure what that really tells me?
Right, you’d have to copy the appropriate line from your .ssh/known_hosts to your new host (after removing the one that just got newly added there).
Which reminds me — you haven’t just restored your .ssh directory from backup or something I assume?
On the host, check for signs of a compromise: miners or other malware running, unexpected files, unexpected logins, unexpected outbound connections, unexpected content being served from your web server etc.
I'm not really sure what to look for.
Most recent compromises I’ve seen have been miners, which show up on “top” and “ps". But I kinda doubt that a compromise is behind it.
— Martijn