Dear Team,
We have a switch server for JPOS and an associated service that connects to this server. Both services operate on localhost. How can we configure the server to only accept connections from localhost and reject any requests from other ports?
This configuration is necessary because there is a security service running that attempts to disrupt the connection between the server and the connecting service. We need the switch server to disregard any requests originating from the IP address of this security service.
This is the current server.xml configuration we have
<server class="org.jpos.q2.iso.QServer" logger="Q2" name="EPI_SWITCH_CMS_SERVER_5050_CMS">
<attr name="port" type="java.lang.Integer">5555</attr>
<attr name="maxSessions" type="java.lang.Integer">1</attr>
<!-- Channel -->
<channel class="org.jpos.iso.channel.ASCIIChannel" logger="Q2" packager="org.jpos.iso.packager.GenericPackager">
<property name="packager-config" value="cfg/packager/iso93ascii.xml" />
<property name="packager-realm" value="SWITCH_TO_CMS" />
</channel>
<ready>SWITCH_CMS_MUX_5050_CMS.ready</ready>
<!-- MUX -->
<in>SWITCH_CMS_MUX_IN_5050_CMS</in>
<out>SWITCH_CMS_MUX_OUT_5050_CMS</out>
</server>
Have a look in the Programmers Guide.
Also detailed : https://github.com/jpos/jPOS/blob/master/doc/src/asciidoc/ch08/qserver.adoc
I have never used and wonder if a setup allow/deny of localhost was a considered use case.
Give it a try and do check the guide.
--
Mark
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/ea4116e2-503d-458c-86d5-f527ede78230n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/d9f6c2ab-9eab-4394-96e7-5242051b5685n%40googlegroups.com.
It was the allow/deny on localhost that was making me wonder.
Hussain lala, is your QServer listening on 127.0.0.1? If so, no remote devices can connect.
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/CAAgSK%3Dk5%2BExT7Rr7npoTRN2xREg34%2BzpuW1z_a87q2EKZ-4t9w%40mail.gmail.com.
Nevermind.
I thought the address/interface to listen on was exposed for configuration, but in checking I see now that it is not.
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/eGFQbdu9Pyg-zzNVsEuJm_vxB3RBaYVQtFvzLdkwv1qE1QCSmR6-ZE1CtaHWjUNf6-nnT04ypIhT_qHZKtHkpxokrcYLHNLrla2LMAQ0lS8%3D%40pm.me.
Actually it is
So, my suggestion for the OP is to use that instead of (or in addition to) the allow/deny mechanism.
My 2 cents.
Andrés Alcarraz
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/GVkimuBbTcDBIz_O5UHbXxD99kUNR_15fFsXK-5zRj3OcFyh765bC_6H06HV6e6Q9FTsaHem5B-CbKx43QyP_QTPV8loyeRyAryi-_G3ndw%3D%40pm.me.
Thanks Andrés.
So Hussain lala by specifying s bind-address of 127.0.0.1 only local processes will be able to connect ss this ip address can not be targeted by a remote device.
Currently the server binds by default to 0.0.0.0, which is totally sensible (listening on all network interfaces), but not what you happen to desire.
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/ae82aa87-068a-4a0b-b19e-04a2db96470d%40gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/dzIpaFUzEgZX7Mlbf1AdXvK0-wNIy4rNReOVoYmZ8mONU8zoOTHFr41GsD41UOPMiXTfQdkBQ8pb_6iSibH1Ci7Dk-LcsZ9_Td1bJCLsDwA%3D%40pm.me.
Hi Hussain, could you elaborate on what do you mean by " the channel to which we sent the ISO request is changed from 127.0.0.1 to the IP of the server which was pinging our service" can you exemplify that with some log?
What you see from th jPOS side in the log, is that the conencting party closed the connection.
Regards
Andrés Alcarraz
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/658afb4b-a80c-4f19-bb87-071f1694788cn%40googlegroups.com.
Andrés Alcarraz
Is your server is not listening on 127.0.0.1 but 0.0.0.0 so will see the remote server connecting, if you can listen on 127.0.0.1, then *only* the local clients can connect.
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/658afb4b-a80c-4f19-bb87-071f1694788cn%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/3c471e5a-9a97-47ae-b7a8-702abfcd9c27n%40googlegroups.com.
Unless you have changed your configuration, your Server will (by default) correctly listening on 0.0.0.0, a netstat will show that.
When you say 'remote stations that connect', can I check you mean separate machines with IP addresses separate from the machine and IP address that is running the 2 Q2 instances you mention?
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/3c471e5a-9a97-47ae-b7a8-702abfcd9c27n%40googlegroups.com.
Can you share a diagram with boxes to represent each device, indicating each ip address and their internal process that are interconnecting?
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/3c471e5a-9a97-47ae-b7a8-702abfcd9c27n%40googlegroups.com.
Hi Hussain,
As Alejandro said, the allow property takes effect after the connection is accepted. As it is right now, I believe the session is closed after the channel is added to the usable channels, so the next send will go through that session.
I wonder if that
order could be changed and the channel added after that. We
would need to move that code to the ISOServer.Session
class, but in that case, subclasses (if they exists somewhere)
that override createSession
to return a subclass of it, would need to implement that as
well. Other option would be to first check the permission in the
ISOServer
class, instead of in Session
and then create the session.
But, you already have a workaround, did you try to only listen in localhost? As suggested by Mark?
This is how:
<server class="org.jpos.q2.iso.QServer" logger="Q2" name="EPI_SWITCH_CMS_SERVER_5050_CMS">
<attr name="port" type="java.lang.Integer">5555</attr>
<property name="bind-address" value="localhost"/>
<!-- Channel -->
<channel class="org.jpos.iso.channel.ASCIIChannel" logger="Q2" packager="org.jpos.iso.packager.GenericPackager">
<property name="packager-config" value="cfg/packager/iso93ascii.xml" />
<property name="packager-realm" value="SWITCH_TO_CMS" />
</channel>
<!-- MUX -->
<in>SWITCH_CMS_MUX_IN_5050_CMS</in>
<out>SWITCH_CMS_MUX_OUT_5050_CMS</out>
</server>
If you set maxSessions
to one, you won’t be able to receive messages in parallel,
although that doesn’t seem to be a problem for your use case,
since you are using the server for “outgoing” requests;
nevertheless, I wouldn’t do that either way.
The other thing that
I think it does nothing in a QServer
is the <ready>
tag, so I would suggest removing it to avoid confusion in the
future.
I hope this help you move forward.
Andrés Alcarraz
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/3c471e5a-9a97-47ae-b7a8-702abfcd9c27n%40googlegroups.com.
Dear All,
I will add the bind-address property and test if this resolves the issue. However, I have a question: If we remove the maxSession 1 property and add the bind-address property, what will happen if a channel is established with the local service and then a request comes from an external or remote IP?
Will the server lose the connection to the local service and establish a new channel with the remote IP or it will keep the existing established channel and create a new channel with the remote IP, and since access is not denied, will it close only the channel with remote IP or all the channels in the session will be closed?
If a new channel needs to be created, is there a way to configure the client to ping the server at regular intervals to re-establish the channel connection?
>> I have a question: If we remove the
>> maxSession 1 property and add the
>> bind-address property, what will
>> happen if a channel is established
>> with the local service and then a
>> request comes from an external or
>> remote IP?
If your server is binding to 127.0.0.1 then *only* local processes can connect to it.
If you have external clients connecting then this is not going to work - hence my request for a diagram.
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/c1b6ee10-bd86-411d-b47c-4e48240499f2n%40googlegroups.com.
So, since you have devices on other ip addresses connecting into the ip address hosting your two Q2 servers, one will have to bind to 0.0.0.0 or the ip address of the machine and so will be scanable and thus can be broken.
Your q2 ports need to be excluded from your scan if the whole device cannot be. Or additionally protect your components with firewall(s) as needed instead.
--
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/be74b2d0-e89e-48f0-9f93-0c7e1534995cn%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/m18rTCnl1L5nfHXgCDKtXo7fZgEs25JUys4FjrapL3bpak7PLyRurYPEUdTBUTv9UGxARQNT-3SlBMjWFi8RtOPyY7CNGr_pzXgJLQDUVps%3D%40pm.me.
So, the remote server
conencting to 4545
is in another host.
Is the switch
listening in 5959
in the same host as the client 1 and 2? If client 1 and 2 are
the only ones that should connect to ports 5959
and 9999
and they are in the same host, you could just configure the bind
address to localhost in those q-servers. That way, only
processes running in the same host will be able to connect to
it.
That was what I suggested in another response, have you tried it?
Andrés Alcarraz
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/be74b2d0-e89e-48f0-9f93-0c7e1534995cn%40googlegroups.com.