ssh_exchange_identification: Connection closed by remote host

July 6th, 2008

Suddenly encountered the error message ssh_exchange_identification: Connection closed by remote host while ssh-ing into one of the machines facing the public side of the almighty internet today. A quick Google search turned up an article saying that the problem usually solves itself. The reason for this is simple: as this is a box that’s available on the general internet, from time to time a storm of SSH connection requests hits us as other compromised servers attempt to break in. When this happens, sshd may go into defensive mode and just refuse the connections instead of trying to handle them. This is good. This is also the reason why it “just suddenty works again”, since the attack may subside or some resources gets freed up.

There may of course be other reasons for this error, but if the machine is reachable through other measures, answers ping and worked an hour ago, this may be the cause. Guess it’s time to move the public ssh port to something else than 22.

Tags:
Posted in Security | No Comments »

A Redirect Does Not Stop Execution

June 21st, 2008

This is just a public service announcement for all the inexperienced developers who are writing redirects in PHP by issuing a call to header(”Location: <new url>”) to do their redirect. I see the same mistake time over and over again, and just to try to make sure that people actually remember this:

A Call to Header (even with Location:) Does NOT Stop The Execution of the Current Application!

A simple example that illustrates this:

  1.  /* DO NOT COPY THIS EXAMPLE. */
  2.  
  3. if (empty($_SESSION['authed']))
  4. {
  5.     header('Location: http://example.com/');
  6. }
  7.  
  8. if (!empty($_POST['text']))
  9. {
  10.     /* insert into database */
  11. }
  12.  
  13. /* Do other admin stuff */

The problem here is that the developer does not stop script execution after issuing the redirect. While the result when testing this code will be as expected (a redirect happens when the user is not logged in and tries to access the link). There is however a gaping security hole here, hidden not in what’s in the file, but what’s missing. Since the developer does not terminate the execution of the script after doing the redirect, the script will continue to run and do whatever the user asks of it. If the user submits a POST request with data (by sending the request manually), the information will be inserted into the database, regardless of wether the user is logged in or not. The end result will still be a redirect, but the program will execute all regular execution paths based on the request.

Tags: , ,
Posted in PHP, Security | No Comments »