sslh and libwrap0 (tcp-wrappers and aclexec) -- [Complete version, earlier send by mistake :-/]

To: debian-user@lists.debian.org
Subject: sslh and libwrap0 (tcp-wrappers and aclexec) -- [Complete version, earlier send by mistake :-/]
From: Håkon Alstadheim <hakon@alstadheim.priv.no>
Date: Mon, 10 Sep 2018 16:50:17 +0200
Message-id: <[🔎] 8edbac81-90aa-4a99-0569-569fa83e20d0@alstadheim.priv.no>

(please discard the earlier misfire, I was trying to wrap the log-lines)

I have an openvpn server on stretch (with some backports stuff) in
combination with sslh so that I can multiplex https and openvpn on port
443. This is needed so clients can get through a firewall.

Simplistic setup of sslh&openvpn means that openvpn and apache see all
connects as coming from localhost, so I wanted to enable tcp-wrappers
with geoip, but I can not get it to work.

When I enable hosts.{allow,deny} I have, Starting with the symptoms and
working down to my config:

- firefox showing connection failed to httpps://

- log showing:

Sep 10 15:38:10 garbo sslh[10550]: sslh-fork 1.18-1 started
Sep 10 15:38:30 garbo geofilter: [10555] Mon, 10 Sep 2018 15:38:30\
 +0200 uid:115 /usr/local/sbin/https-geofilter 192.168.2.201
Sep 10 15:38:30 garbo geofilter: [10555] allow: ALLOW connection\
 from 192.168.2.201 (IP Address not found)
Sep 10 16:14:17 garbo geofilter: [16004] Mon, 10 Sep 2018 16:14:17\
 +0200 uid:115 /usr/local/sbin/https-geofilter 192.168.2.201
Sep 10 16:14:17 garbo geofilter: [16004] allow: ALLOW connection\
 from 192.168.2.201 (IP Address not found)
Sep 10 16:14:17 garbo sslh[10550]: warning: /etc/hosts.allow,\
 line 5: process 16003 exited with signal 126
Sep 10 16:14:17 garbo sslh[10550]: aclexec returned 1
Sep 10 16:14:17 garbo sslh[10550]: connection from\
 gt.alstadheim.priv.no.2.168.192.in-addr.arpa(192.168.2.201):\
 access denied

- Standard output where sslh is launched showing:
 /etc/init.d/sslh restart
Restarting ssl/ssh multiplexer: sslh
tls addr: localhost:https. libwrap service: https log_level: 5 family 2 2 []
openvpn addr: localhost:5555. libwrap service: openvpn log_level: 5
family 2 2 []
listening on:
	garbo.alstadheim.priv.no:https	[]
	148-252-110.153.3p.ntebredband.no:https	[]
timeout: 3
on-timeout: openvpn
listening to 2 addresses
.
turning into sslh
capabilities: =

accepted fd 6
**** writing deferred on fd -1
probing for tls
access denied

==== my config: ======
---/etc/sslh/sslh.cfg:---
foreground: false;
inetd: false;
numeric: false
transparent: false;
timeout: 3;
user: "sslh";
pidfile: "/var/run/sslh/sslh.pid";
syslog_facility: "auth";

protocols:
(
     { name: "tls";service: "https"; host: "localhost"; port: "443";
log_level: 5;},
  { name: "openvpn"; service: "openvpn" ; host: "localhost"; port:
"5555"; log_level: 5; }

);
---/etc/default/sslh---
RUN=yes
DAEMON=/usr/sbin/sslh
DAEMON_OPTS="-vv --user sslh --listen 192.168.2.2:443 --listen\
 148.252.110.153:443 --pidfile /var/run/sslh/sslh.pid --on-timeout\
 openvpn -F/etc/sslh/sslh.cfg"

---/etc/hosts.deny---
rpc.ugidd: ALL
#openvpn: ALL
https: ALL
#ssl: ALL
#anyprot: ALL
swat: ALL
#sslh: ALL
---/etc/hosts.allow---
#
rpc.ugidd: 192.168.2.0/24
#
# next line is line 5
https: ALL:aclexec /usr/local/sbin/https-geofilter %a:\
 severity auth.warning
---/usr/local/sbin/https-geofilter---
#!/bin/bash
exec>/dev/null </dev/null 2>&1

# Ansible Managed: GeoIP aclexec script for Linux TCP wrappers.
## Source: http://www.axllent.org/docs/view/ssh-geoip

# UPPERCASE space-separated country codes to ACCEPT
/usr/bin/logger -t geofilter -p authpriv.warning "[$$] `/bin/date -R`
uid:$UID $0 $*"
ALLOW_COUNTRIES="NO SE"

if [ $# -ne 1 ]; then
  echo "Usage:  `basename $0` ip" 1>&2
  exit 0 # return true in case of config issue
fi

COUNTRY=`/usr/bin/geoiplookup $1 | /usr/bin/awk -F ": " '{ print $2 }' |
/usr/bin/awk -F "," '{ print $1 }' | /usr/bin/head -n 1`

[[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]]
&& RESPONSE="ALLOW" || RESPONSE="DENY"
if [ $RESPONSE = "ALLOW" ]
then
    /usr/bin/logger -t geofilter -p authpriv.warning "[$$] allow:
$RESPONSE connection from $1 ($COUNTRY)" || true
    true
    exit 0
else
  /usr/bin/logger -t geofilter -p authpriv.warning "[$$]deny: $RESPONSE
connection from $1 ($COUNTRY)" || true
  false
  exit 1
fi

----------------------------------

My reading of this is that my aclexec-script gets called, and when
192.168.2.201 is not found, it logs ALLOW and returns with 'exit 0'.
Then the parent-process (as seen by the PID) then erroneously complains
that my script was terminated by a signal 126, and returns 1 (i.e.
false) to sslh.

I tried looking at the source-packages for sslh and tcp-wrappers, both
for the versions in stretch, and for tcp-wrappers also the one in
unstable, but I can not make sense of them.

Reply to:

Prev by Date: Re: Buster: Firefox-esr: can't get spell checker to work
Next by Date: Re: [beginning OT] Re: Bug#908349: firefox-esr: no sound after upgrading from 52.9 to 60.2
Previous by thread: sslh and libwrap0 (tcp-wrappers)
Next by thread: Sound in Stretch
Index(es):
- Date
- Thread