[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

sslh and libwrap0 (tcp-wrappers and aclexec) -- [Complete version, earlier send by mistake :-/]

(please discard the earlier misfire, I was trying to wrap the log-lines)

I have an openvpn server on stretch (with some backports stuff) in
combination with sslh so that I can multiplex https and openvpn on port
443. This is needed so clients can get through a firewall.

Simplistic setup of sslh&openvpn means that openvpn and apache see all
connects as coming from localhost, so I wanted to enable tcp-wrappers
with geoip, but I can not get it to work.

When I enable hosts.{allow,deny} I have, Starting with the symptoms and
working down to my config:

- firefox showing connection failed to httpps://

- log showing:

Sep 10 15:38:10 garbo sslh[10550]: sslh-fork 1.18-1 started
Sep 10 15:38:30 garbo geofilter: [10555] Mon, 10 Sep 2018 15:38:30\
 +0200 uid:115 /usr/local/sbin/https-geofilter
Sep 10 15:38:30 garbo geofilter: [10555] allow: ALLOW connection\
 from (IP Address not found)
Sep 10 16:14:17 garbo geofilter: [16004] Mon, 10 Sep 2018 16:14:17\
 +0200 uid:115 /usr/local/sbin/https-geofilter
Sep 10 16:14:17 garbo geofilter: [16004] allow: ALLOW connection\
 from (IP Address not found)
Sep 10 16:14:17 garbo sslh[10550]: warning: /etc/hosts.allow,\
 line 5: process 16003 exited with signal 126
Sep 10 16:14:17 garbo sslh[10550]: aclexec returned 1
Sep 10 16:14:17 garbo sslh[10550]: connection from\
 access denied

- Standard output where sslh is launched showing:
 /etc/init.d/sslh restart
Restarting ssl/ssh multiplexer: sslh
tls addr: localhost:https. libwrap service: https log_level: 5 family 2 2 []
openvpn addr: localhost:5555. libwrap service: openvpn log_level: 5
family 2 2 []
listening on:
	garbo.alstadheim.priv.no:https	[]
	148-252-110.153.3p.ntebredband.no:https	[]
timeout: 3
on-timeout: openvpn
listening to 2 addresses
turning into sslh
capabilities: =

accepted fd 6
**** writing deferred on fd -1
probing for tls
access denied

==== my config: ======
foreground: false;
inetd: false;
numeric: false
transparent: false;
timeout: 3;
user: "sslh";
pidfile: "/var/run/sslh/sslh.pid";
syslog_facility: "auth";

     { name: "tls";service: "https"; host: "localhost"; port: "443";
log_level: 5;},
  { name: "openvpn"; service: "openvpn" ; host: "localhost"; port:
"5555"; log_level: 5; }

DAEMON_OPTS="-vv --user sslh --listen --listen\ --pidfile /var/run/sslh/sslh.pid --on-timeout\
 openvpn -F/etc/sslh/sslh.cfg"

rpc.ugidd: ALL
#openvpn: ALL
https: ALL
#ssl: ALL
#anyprot: ALL
swat: ALL
#sslh: ALL
# next line is line 5
https: ALL:aclexec /usr/local/sbin/https-geofilter %a:\
 severity auth.warning
exec>/dev/null </dev/null 2>&1

# Ansible Managed: GeoIP aclexec script for Linux TCP wrappers.
## Source: http://www.axllent.org/docs/view/ssh-geoip

# UPPERCASE space-separated country codes to ACCEPT
/usr/bin/logger -t geofilter -p authpriv.warning "[$$] `/bin/date -R`
uid:$UID $0 $*"

if [ $# -ne 1 ]; then
  echo "Usage:  `basename $0` ip" 1>&2
  exit 0 # return true in case of config issue

COUNTRY=`/usr/bin/geoiplookup $1 | /usr/bin/awk -F ": " '{ print $2 }' |
/usr/bin/awk -F "," '{ print $1 }' | /usr/bin/head -n 1`

[[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]]
if [ $RESPONSE = "ALLOW" ]
    /usr/bin/logger -t geofilter -p authpriv.warning "[$$] allow:
$RESPONSE connection from $1 ($COUNTRY)" || true
    exit 0
  /usr/bin/logger -t geofilter -p authpriv.warning "[$$]deny: $RESPONSE
connection from $1 ($COUNTRY)" || true
  exit 1


My reading of this is that my aclexec-script gets called, and when is not found, it logs ALLOW and returns with 'exit 0'.
Then the parent-process (as seen by the PID) then erroneously complains
that my script was terminated by a signal 126, and returns 1 (i.e.
false) to sslh.

I tried looking at the source-packages for sslh and tcp-wrappers, both
for the versions in stretch, and for tcp-wrappers also the one in
unstable, but I can not make sense of them.

Reply to: