3 Replies Latest reply on Oct 31, 2014 11:20 PM by yd9038

    man-in-the-middle attack??

    hok

      When we restored ESM fullbackup to another ESM, we found many messages like as follows in /var/log/messages, and we can't log in the ESM never.

       

      Jul  9 08:01:01 McAfee sshccd[1405]: Notice: signal CHLD, 3750 (xxx.xxx.xxx.xxx:22) reclaimed. Exit status: 255. Signal number: 0 -- @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -- @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @ -- @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -- IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! -- Someone could be eavesdropping on you right now (man-in-the-middle attack)! -- It is also possible that a host key has just been changed. -- The fingerprint for the RSA key sent by the remote host is -- e8:35:45:7d:1d:4a:94:97:87:98:70:c5:88:a9:7b:0f. -- Please contact your system administrator. -- Add correct host key in /root/.ssh/known_hosts to get rid of this message. -- Offending RSA key in /root/.ssh/known_hosts:3 -- Password authentication is disabled to avoid man-in-the-middle attacks. -- Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. -- Port forwarding is disabled to avoid man-in-the-middle attac

      Jul  9 08:01:01 McAfee sshccd[1405]: Notice: signal CHLD, 3752 (xxx.xxx.xxx.xxx:22) reclaimed. Exit status: 255. Signal number: 0 -- Error: remote port forwarding failed for listen port 100 -- 

       

      Anybody knows what this messages mean and how to fix this probles?? 

       

      Regards,

       

      hok

       


       

      on 7/9/14 8:30:39 PM CDT
        • 1. Re: man-in-the-middle attack??
          abdessamad

          Hi,

           

           

           

          I'm sorry, I've never heard of this message.

          I have a question please :

          What are the requirements and recommendations for restoring  ESM fullbackup to another ESM ?

          Best Regards

           

          • 2. Re: man-in-the-middle attack??
            Richard Hart

            I believe this is due to the new ESM using the SSH keys that were generated by the older/defunct ESM. I would rekey each of the appliances (read: each Receiver, ELM, ACE, ADM, etc.)

             

            To do so:

            1. Click each device, under Physical Display
            2. Click Properties
            3. Click Key Management
            4. Key Device.

             

            This should alleviate the issue you're seeing.

            • 3. Re: man-in-the-middle attack??
              yd9038

              Richard is correct. We've had the same issue when we replaced a receiver. You just need to re-key it. If rekeying it through the GUI doesn't work, you can copy/paste SSH keys through the CLI. Let me knoe if you need help with that process and I can explain it.