This morning's log review revealed this sshd log entry on one of our web services hosts: Received disconnect: 11: disconnected by user : 2 Time(s) 3: com.jcraft.jsch.JSchException: reject HostKey: 216.185.71.170 : 1 Time(s) The IP address used is that of a public facing database query page for our freight transit information. It is itself a virtual IP address hosted on the system reporting the error. In other words, if this were a legitimate connection then the situation would be that of an ssh client connecting to an sshd server running on the same host albeit each using a different IP address. In other words, the hostkeys would be identical. It seems to me that someone attempted an ssh connection while spoofing our internal address. Is such a thing even possible? If so then how does it work? What is com.jcraft.jsch? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos