Stopping man-in-the-middle attacks on VPS accounts

In their continuing efforts to maintain secure servers, our systems team has recently posted a security maintenance alert that affects all VPS hosting accounts. The issue concerns what are known as “man-in-the-middle” attacks that target Secure Shell(SSH) access. Note that there have been no breaches of security, but this is a recommendation in order to prevent possible breach of security based on this type of attack.

What is a Man-in-the-middle attack?

In layman’s terms, a man-in-the-middle attack means the attacking computer (the hacker) has established communication between the server and the client’s computer. So, it’s very literally the “man-in-the-middle”. They have cracked access to both the server and hosting account enabling them to obtain information communicated between what would normally only be the client computer and the hosting server. Security audits and communication in the hosting industry have brought this potential security issue to light, so a change in VPS provisioning has been put into place in order to remove the vulnerability. For further information, see Man-in-the-middle attack.

Prevention steps: SSH Host Key Rotation on VPS

Our systems team has performed a full security audit on the VPS hosting system and discovered that there was a need to rotate the SSH host key which allows access to SSH from a client computer. They have taken steps to make sure that the key has been changed on the servers. The remaining item that needs to updated are the keys on the client’s computer. When the keys are completely changed, you may see the following message when connecting to SSH:

 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is: [...] 

This message is normal when the key has changed and it doesn’t match yours. It is actually written into the SSH daemon and is there to alert you to a possible man-in-the-middle attack.

Clearing the Remote Host Identification Change Alert

In order to connect to SSH, you will need to remove your old key in a file called the known_hosts file. Here are the methods on how to do this based on 3 different operating systems:

Linux

Use the following command:

ssh-keygen -R hostname

Replace “hostname” with the name of the server used to connect to SSH.

Windows

In order to access SSH in Windows, you typically use a terminal client in the Windows operating systems. The following example is if you are using PuTTY (a very common terminal solution for Windows):

  1. Using a registry editor like REGEDIT open the Windows registry file
  2. Click on EDIT, then select FIND in drop down menu. Search for the following: HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
  3. When you find that section open it up and you should see the key(s) that have been assigned for access. Look for the name of the server you are connecting to and delete that row. Here’s an example of how it may appear: @ : [rsa2@22:172.16.117.159]
  4. Close down regedit and you’re done!

Once you have deleted the row then PuTTY will generate the new key when you next launch it.

Mac OSX

You will need to be in the Mac Terminal program in order to do the following steps:

  1. cd ~/.ssh
  2. ls
  3. nano known_hosts

You can also use VI or other editor that you have access to. It may be difficult to pick out the lines for the keys as they may run togther in the editor. So, it would be wise to back up the file first. You can also use the Finder in Mac using the following steps:

  1. Open Finder
  2. Click on Go, then click on Go to Folder
  3. Type in the following: ~/.ssh
  4. This will bring you to the .ssh folder and you will see the known_hosts file
  5. Open the file in your preferred editor and remove the old key

Summary

Again, it’s important to note that no breach of security has actually occurred. In addition to the change in the known hosts password, security measures such as the existing firewall would have prevented this type of attack. If you see the message listed above that states “it is possible that your host key has changed” make sure to go through one of the listed steps above to remove your old key. As an additional information courtesy, you may see the following message from our systems team:

As a security measure, we have regenerated the SSH host keys for your Virtual Private Server. This was done proactively to secure your server against the potential for an attack called “Man in the Middle” wherein a malicious attacker tries to impersonate SSH servers in an attempt to see traffic between client and server. Please note, we do not believe that this attack has been carried out against your VPS, this is purely a precautionary measure. If you use SSH, you may see a notice when you next connect to your server stating that the remote host identification has changed. We apologize for any inconvenience this may cause, however this is simply to ensure your server’s continued security. After you remove the old entry from your known_hosts list, you will not see the message again. If you have any questions, please feel free to contact us.

AC
Arnel Custodio Content Writer I

As a writer for InMotion Hosting, Arnel has always aimed to share helpful information and provide knowledge that will help solve problems and aid in achieving goals. He's also been active with WordPress local community groups and events since 2004.

More Articles by Arnel

Was this article helpful? Join the conversation!