Allow certain IP to connect to qServer

100 views
Skip to first unread message

Hussain lala

unread,
Jun 23, 2024, 6:00:12 AMJun 23
to jPOS Users

Dear Team,

We have a switch server for JPOS and an associated service that connects to this server. Both services operate on localhost. How can we configure the server to only accept connections from localhost and reject any requests from other ports?

This configuration is necessary because there is a security service running that attempts to disrupt the connection between the server and the connecting service. We need the switch server to disregard any requests originating from the IP address of this security service.

This is the current server.xml configuration we have

<server class="org.jpos.q2.iso.QServer" logger="Q2" name="EPI_SWITCH_CMS_SERVER_5050_CMS">
   
 <attr name="port" type="java.lang.Integer">5555</attr>
 <attr name="maxSessions" type="java.lang.Integer">1</attr>
 <!-- Channel -->
 <channel class="org.jpos.iso.channel.ASCIIChannel" logger="Q2" packager="org.jpos.iso.packager.GenericPackager">
      <property name="packager-config" value="cfg/packager/iso93ascii.xml" />
        <property name="packager-realm" value="SWITCH_TO_CMS" />
 </channel>
  <ready>SWITCH_CMS_MUX_5050_CMS.ready</ready>
 <!-- MUX -->
 <in>SWITCH_CMS_MUX_IN_5050_CMS</in>
 <out>SWITCH_CMS_MUX_OUT_5050_CMS</out>
 
</server>

Mark Salter

unread,
Jun 23, 2024, 6:46:18 AMJun 23
to jpos-...@googlegroups.com

Have a look in the Programmers Guide.

Also detailed : https://github.com/jpos/jPOS/blob/master/doc/src/asciidoc/ch08/qserver.adoc

I have never used and wonder if a setup allow/deny of localhost  was a considered use case.

Give it a try and do check the guide.

-- 
Mark



-------- Original Message --------
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/ea4116e2-503d-458c-86d5-f527ede78230n%40googlegroups.com.
signature.asc

Hussain lala

unread,
Jun 23, 2024, 6:50:59 AMJun 23
to jPOS Users
Dear Mark,

Thanks, I will check and let you know

Alejandro Revilla

unread,
Jun 23, 2024, 11:33:13 AMJun 23
to jpos-...@googlegroups.com
The allow/deny mechanism works, and it's designed precisely for that purpose: to prevent internal scans that try to determine if you're running an outdated version of WordPress or some other application, ultimately generating a lengthy report recommending updates.

This mechanism does not operate at the firewall level; it's at the application level. Therefore, we need to accept the connection initially, but if the allow/deny rules do not permit the connection, we close it. To add an element of fun, we close it after a random delay to slow down the scan.

When I implemented this, I was seriously considering returning a random signature for a vulnerable application (like PHP1 or a read-write CGI-BIN) just to mess with the security team. Imagine their confusion when they thought they found a major vulnerability, only to realize it was a prank.




To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/d9f6c2ab-9eab-4394-96e7-5242051b5685n%40googlegroups.com.

Mark Salter

unread,
Jun 24, 2024, 4:13:24 AMJun 24
to jpos-...@googlegroups.com

It was the allow/deny on localhost that was making me wonder.

Hussain lala, is your QServer listening on 127.0.0.1?  If so, no remote devices can connect.

-- 
Mark



-------- Original Message --------
signature.asc

Mark Salter

unread,
Jun 24, 2024, 4:42:39 AMJun 24
to jpos-...@googlegroups.com

Nevermind.
I thought the address/interface to listen on was exposed for configuration, but in checking I see now that it is not.

-- 
Mark



-------- Original Message --------
signature.asc

Andrés Alcarraz

unread,
Jun 24, 2024, 6:26:06 PM (14 days ago) Jun 24
to jpos-...@googlegroups.com

Actually it is

So, my suggestion for the OP is to use that instead of (or in addition to) the allow/deny mechanism.

My 2 cents.

Andrés Alcarraz

Mark Salter

unread,
Jun 25, 2024, 2:08:14 AM (14 days ago) Jun 25
to jpos-...@googlegroups.com

Thanks Andrés.

So  Hussain lala by specifying s bind-address of 127.0.0.1 only local processes will be able to connect ss this ip address can not be targeted by a remote device.

Currently the server binds by default to 0.0.0.0, which is totally sensible (listening on all network interfaces), but not what you happen to desire.

-- 
Mark



-------- Original Message --------
signature.asc

Aikhomu Okoedion

unread,
Jun 25, 2024, 2:44:22 AM (14 days ago) Jun 25
to jpos-...@googlegroups.com
How about solving the problem at the infrastructure level so that external systems will not be able to send requests to the server hosting the jpos application? Or some IP whitelisting firewall on the server hosting the jpos application. 

Honorably,

Aikhomu Lucky-Favour Okoedion
_____________________________________________________________________________
There is always a way to do everything, if you are determined enough. Yes, just be courageous enough to THINK OUTSIDE OF THE BOX !




Hussain lala

unread,
Jul 1, 2024, 8:56:58 AM (7 days ago) Jul 1
to jPOS Users
Dear All,

We added the allow property in our Q2 server config file, however when the security scan is started we noticed that the channel to which we sent the ISO request is changed from 127.0.0.1 to the IP of the server which was pinging our service for security scan, and we get Invalid message length error in our logs

Also we observed the below error in the logs

<log realm="EPI_SWITCH_SERVER.server.session/10.254.152.3:41874" at="2024-06-28T21:44:20.996">
  <session-start/>
</log>
<log realm="channel/10.254.152.3:41874" at="2024-06-28T21:44:20.996">
  <receive>
    <peer-disconnect/>
  </receive>
</log>
<log realm="EPI_SWITCH_SERVER.server.session/10.254.152.3:41874" at="2024-06-28T21:44:20.996">
  <session-end/>
</log>
<log realm="EPI_SWITCH_CMS_SERVER_4050_CMS.server" at="2024-06-28T21:44:20.996">
  <warn>
    pool exhausted ServerSocket[addr=0.0.0.0/0.0.0.0,localport=5959]
    <thread-pool name="EPI_SWITCH_CMS_SERVER_4050_CMS-ThreadPool-1">
      <jobs>2</jobs>
      <size>1</size>
      <max>1</max>
      <idle>0</idle>
      <active>1</active>
      <pending>1</pending>
    </thread-pool>
  </warn>
</log> 

Can you suggest any other alternative where we send the request from the server to another jpos service only if the channel is 127.0.0.1

Andrés Alcarraz

unread,
Jul 1, 2024, 12:46:33 PM (7 days ago) Jul 1
to jpos-...@googlegroups.com

Hi Hussain, could you elaborate on what do you mean by " the channel to which we sent the ISO request is changed from 127.0.0.1 to the IP of the server which was pinging our service" can you exemplify that with some log?

What you see from th jPOS side in the log, is that the conencting party closed the connection.

Regards

Andrés Alcarraz

El 1/07/24 a las 07:56, Hussain lala escribió:

Mark Salter

unread,
Jul 1, 2024, 2:00:43 PM (7 days ago) Jul 1
to jpos-...@googlegroups.com

Is your server is not listening on 127.0.0.1 but 0.0.0.0 so will see the remote server connecting, if you can listen on 127.0.0.1, then *only* the local clients can connect.

-- 
Mark



-------- Original Message --------
signature.asc

Hussain lala

unread,
Jul 2, 2024, 5:38:45 AM (6 days ago) Jul 2
to jPOS Users
Dear Mark, 

How to check if the server is listening to 127.0.0.1 or 0.0.0.0.

I will try to explain the flow here again so that their is better 

We have remote stations that connect to the application that has multiple q2 servers configured and running on different ports via load balancer. one q2 server receives the request and sends to the the client connected to the other q2 server and these are both running on localhost, however when there is a scan running the connection between the client and the server is changed and instead of the client the q2 server sends request to the IP of the scanner and we get invalid message length and also socket reset exception

For example
in ideal case 
1. the server will recieve the incoming request from the station to the q2 server via a load balancer 

<log realm="channel/load balancer ip:57977" at="2024-07-01T00:00:01.088">
  <receive>
    <isomsg direction="incoming">
      <!-- org.jpos.iso.packager.GenericPackager[cfg/packager/iso93ascii.xml] -->
      <field id="0" value="1100"/>
      <field id="3" value="000000"/>
    </isomsg>
  </receive>
</log>

2. Now this server upon recieving request sends it to the client running on localhost for processing

<log realm="channel/127.0.0.1:51381" at="2024-07-01T00:00:01.104">
  <send>
    <isomsg direction="outgoing">
      <!-- org.jpos.iso.packager.GenericPackager[cfg/packager/iso93ascii.xml] -->
      <field id="0" value="1100"/>
      <field id="3" value="000000"/>
    </isomsg>
  </send>
</log>

3. After the request is processed the server will receive the response and send the response back to the client via load balancer ip

But after the scan their is change in point 2 and instead of sending to 127.0.0.1 it sends the request to the ip of the scanner server

Kindly check and let me know if you need any more clarification.

chhil

unread,
Jul 2, 2024, 7:55:55 AM (6 days ago) Jul 2
to jpos-...@googlegroups.com
I believe the qserver uses the last connected channel to respond back. If the scanning one connects it probably will be the one the message gets sent to. 

-chhil

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/3c471e5a-9a97-47ae-b7a8-702abfcd9c27n%40googlegroups.com.

Hussain lala

unread,
Jul 2, 2024, 7:58:07 AM (6 days ago) Jul 2
to jPOS Users
Hi Chhil,

Is there any way we can make sure that once the connection is made to the localhost it should not get overridden by any other, for this we made the maxSessions as 1 so that it does not open session and does not connect to any other server channel, but this does not seem to work.

Mark Salter

unread,
Jul 2, 2024, 8:57:16 PM (6 days ago) Jul 2
to jpos-...@googlegroups.com

Unless you have changed your configuration,  your Server will (by default)  correctly listening on 0.0.0.0, a netstat will show that.

When you say 'remote stations that connect', can I check you mean separate machines with IP addresses separate from the machine and IP address that is running the 2 Q2 instances you mention?

-- 
Mark



-------- Original Message --------
signature.asc

Mark Salter

unread,
Jul 2, 2024, 8:59:17 PM (6 days ago) Jul 2
to jpos-...@googlegroups.com

Can you share a diagram with boxes to represent each device, indicating each ip address and their internal process that are interconnecting?

-- 
Mark



-------- Original Message --------
On 02/07/2024 10:38, Hussain lala wrote:
signature.asc

Andrés Alcarraz

unread,
Jul 2, 2024, 9:53:52 PM (6 days ago) Jul 2
to jpos-...@googlegroups.com

Hi Hussain,

As Alejandro said, the allow property takes effect after the connection is accepted. As it is right now, I believe the session is closed after the channel is added to the usable channels, so the next send will go through that session.

I wonder if that order could be changed and the channel added after that. We would need to move that code to the ISOServer.Session class, but in that case, subclasses (if they exists somewhere) that override createSession to return a subclass of it, would need to implement that as well. Other option would be to first check the permission in the ISOServer class, instead of in Session and then create the session.

But, you already have a workaround, did you try to only listen in localhost? As suggested by Mark?

This is how:

<server class="org.jpos.q2.iso.QServer" logger="Q2" name="EPI_SWITCH_CMS_SERVER_5050_CMS">
    
 <attr name="port" type="java.lang.Integer">5555</attr>

<property name="bind-address" value="localhost"/>

 <!-- Channel -->
 <channel class="org.jpos.iso.channel.ASCIIChannel" logger="Q2" packager="org.jpos.iso.packager.GenericPackager">
         <property name="packager-config" value="cfg/packager/iso93ascii.xml" />
        <property name="packager-realm" value="SWITCH_TO_CMS" /> 
 </channel>
<!-- MUX -->
 <in>SWITCH_CMS_MUX_IN_5050_CMS</in>
 <out>SWITCH_CMS_MUX_OUT_5050_CMS</out>
 
</server>

If you set maxSessions to one, you won’t be able to receive messages in parallel, although that doesn’t seem to be a problem for your use case, since you are using the server for “outgoing” requests; nevertheless, I wouldn’t do that either way.

The other thing that I think it does nothing in a QServer is the <ready> tag, so I would suggest removing it to avoid confusion in the future.

I hope this help you move forward.

Andrés Alcarraz

Hussain lala

unread,
Jul 3, 2024, 8:09:05 AM (5 days ago) Jul 3
to jPOS Users

Dear All,

I will add the bind-address property and test if this resolves the issue. However, I have a question: If we remove the maxSession 1 property and add the bind-address property, what will happen if a channel is established with the local service and then a request comes from an external or remote IP?

Will the server lose the connection to the local service and establish a new channel with the remote IP or it will keep the existing established channel and create a new channel with the remote IP, and since access is not denied, will it close only the channel with remote IP or all the channels in the session will be closed? 

If a new channel needs to be created, is there a way to configure the client to ping the server at regular intervals to re-establish the channel connection?

Currently, I noticed some "access denied" logs for the remote IP, but subsequent requests were still sent to the remote IP, resulting in an "invalid message length" error.

<log realm="EPI_SWITCH_CMS_SERVER_4051_CMS.server.session/=remote_ip:52850" at="2024-06-28T21:44:39.950" lifespan="3682ms">
  <session-start>
    access denied, ip=remote_ip
    delay=3670
  </session-start>
</log>

<log realm="EPI_SWITCH_SERVER.server.session/remote_ip:42664" at="2024-06-28T21:47:51.724">
  <session-error>
    <iso-exception>
      Invalid message length GET
      org.jpos.iso.ISOException: Invalid message length GET
at org.jpos.iso.channel.ASCIIChannel.getMessageLength(ASCIIChannel.java:118)
at org.jpos.iso.BaseChannel.receive(BaseChannel.java:714)
at org.jpos.iso.ISOServer$Session.run(ISOServer.java:344)
at org.jpos.util.ThreadPool$PooledThread.run(ThreadPool.java:76)
    </iso-exception>
  </session-error>
</log>

I know there are many questions here but I am just confused and would appreciate all the help and clarifications I can get.

Mark Salter

unread,
Jul 3, 2024, 8:16:50 AM (5 days ago) Jul 3
to jpos-...@googlegroups.com

>> I have a question: If we remove the
>>  maxSession 1 property and add the
>> bind-address property, what will
>> happen if a channel is established
>> with the local service and then a
>> request comes from an external or
>>  remote IP?

If your server is binding to 127.0.0.1 then *only* local processes can connect to it.

If you have external clients connecting then this is not going to work - hence my request for a diagram.

-- 
Mark



-------- Original Message --------
signature.asc

Hussain lala

unread,
Jul 3, 2024, 9:17:13 AM (5 days ago) Jul 3
to jPOS Users
Dear Mark,

We have a SWITCH Server Application in this application we have defined multiple Q2 server, one of the server listens to a port ex: 4545 and this server gets requests from the stations via load balancers and in this same application we have other Q2 Server that listens on port 5959, the Q2 server on 4545 will send the request to the the client connected to the Q2 Server 5959, and the response from this client is sent to the 4545 Q2 and this is then sent to the station via load balancer.

Now the issue happens when the some remote server sends a request or ping directly to the Q2 Server running on 5959 and the channel with the localhost client is lost when the ping is received and then all the requests from 4545 is sent to the client which in this case becomes the remote server of scanner, and we have to restart the application altogether to re establish connection to the localhost client.

I have attached a diagram below, if possible can we connect?
Architecture.png

Mark Salter

unread,
Jul 3, 2024, 2:08:28 PM (5 days ago) Jul 3
to jpos-...@googlegroups.com

So, since you have devices on other ip addresses connecting into the ip address hosting your two Q2 servers, one will have to bind to 0.0.0.0 or the ip address of the machine and so will be scanable and thus can be broken.

Your q2 ports need to be excluded from your scan if the whole device cannot be.  Or additionally protect your components with firewall(s) as needed instead.

-- 
Mark



-------- Original Message --------
signature.asc

Alejandro Revilla

unread,
Jul 3, 2024, 3:54:39 PM (5 days ago) Jul 3
to jpos-...@googlegroups.com
FYI - good point by Andres here. Just raised an issue: https://github.com/jpos/jPOS/issues/602



To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/m18rTCnl1L5nfHXgCDKtXo7fZgEs25JUys4FjrapL3bpak7PLyRurYPEUdTBUTv9UGxARQNT-3SlBMjWFi8RtOPyY7CNGr_pzXgJLQDUVps%3D%40pm.me.

Andrés Alcarraz

unread,
Jul 4, 2024, 8:24:07 AM (4 days ago) Jul 4
to jpos-...@googlegroups.com

So, the remote server conencting to 4545 is in another host.

Is the switch listening in 5959 in the same host as the client 1 and 2? If client 1 and 2 are the only ones that should connect to ports 5959 and 9999 and they are in the same host, you could just configure the bind address to localhost in those q-servers. That way, only processes running in the same host will be able to connect to it.

That was what I suggested in another response, have you tried it?

Andrés Alcarraz

Mark Salter

unread,
Jul 4, 2024, 2:28:40 PM (4 days ago) Jul 4
to jpos-...@googlegroups.com
On 04/07/2024 13:23, Andrés Alcarraz wrote:
and they are in the same host

I read the diagram as they were remote (i.e. away/remote from the host with the Q2 pair)


--

Mark

signature.asc
Reply all
Reply to author
Forward
0 new messages