Attempts on the root account are common on servers that have their ssh service open to the internet. This is why Ubuntu in particular disables root logins by default. It won't stop the MITM attempts or the errors, but it will prevent the attacker from getting usable credentials. The way key authentication works in ssh is the private key stays on your client (machine running PuTTY) and your public key is on the server you're logging in to. The two keys are related in that anything encrypted with one can only be decrypted with the other, but it's nearly impossible given one of the two keys to extrapolate the other. So, even if a MITM occurs and you attempt to log in to an attacker's box, they won't get anything useful that they can log in with. And if they manage to get into your server, all they can get is your public key, which can't be used to gain any access to anything--only the private key will.
The only thing passed between the client and the server when logging on using keys is an encrypted token. Your client (PuTTY) encrypts this token with your private key and then sends it to the server, which then attempts to decrypt it using the public keys stored in the authorized_keys file. If it is able to, it lets you log in. This token is useless outside the transaction, and nothing of the private key gets sent over the wire.
Also, if you set up the key credentials on your PuTTY and server, and you connect to the MITM server, you can try logging in and see if it works. If it does, you're either on your server or they copied your public key from your server to the attack server. If you get to a shell, you can do some looking around. But chances are the MITM box won't recognize your key and it'll revert to a regular password login prompt (don't be fooled and enter your password if this happens!)
Bookmarks