| Author |
Message
|
| rickwatsonb |
 Posted: Thu Jul 19, 2012 8:00 am Post subject: IP Filtering WHITE LIST |
 |
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi,
I am doing some testing in experimental with regards to creating an IP filtering white list with MQ server 7.1 on Linux. I would like to capture feedback from blocked IPs but have not had any success so far.
For testing scenarios, I have NOT put any valid IPs in the white list on purpose. What I am currently focusing on is capturing feedback from blocked IPs. The MH05 support pac is installed and running on the MQ server.
I have tested connections using the MQ client sample “put” program on the MQ server; this appropriately generated a 2035 reason code. I also tried to connect via MQ Explorer; this appropriately generated an AMQ4036.
What I do not understand is that neither of these failed connections created an event. Why is that?
In general, with MQ 7.1, is there a method available to log blocked IPs at the channel, and also log block IPs at the listener (e.g. scanners)?
Thanks for your help. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Jul 19, 2012 8:07 am Post subject: Re: IP Filtering WHITE LIST |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| rickwatsonb wrote: |
What I do not understand is that neither of these failed connections created an event. Why is that? |
What events were you expecting? Did you enable them?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Jul 19, 2012 8:49 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi Bruce,
Yes events are turned on, I expected the AMQ4036 to be captured.
Here is another example that shows the steps in my testing process:
I just ran an additional test with a new test queue manager.
-Created queue manager via script (creates all needed components, applies authorities, and turns on event capture)
-Connected via MQ Explorer
-Did a "Put" to test queue
-Executed a clear command on test queue (not allowed) – AMQ4036 generated
-Event captured - Event queue shows the event – reason code 2035
-Applied white list block code (chlauth) that contains only an invalid IP
-Tried to connect again via MQ Explorer (IP not allowed anymore) – AMQ4036 generated.
-No event captured -- Why was this event NOT captured?
Thanks |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 19, 2012 8:55 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rickwatsonb wrote: |
| Yes events are turned on, I expected the AMQ4036 to be captured. |
Why? I've not had a lot of oppertunity to play with (sorry, evaluate) this function due to an upgrade schedule that is so slow it's routinely overtaken by glaciers but it seems to me from my research that you wouldn't get that kind of failed authorization error from a refused connection attempt.
Can you point to any link that described this and built your expectation? If only because I know that our WMQ team are keen to implement this once the glacier melts solely on the basis they've heard it's another way of increasing queue manager stability by preventing anyone using it....
{reaches for extra anti-sarcasm pills & some anti-bitterness pills}
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 19, 2012 9:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Exactly which kind of events have you enabled?
Exactly which event queues are you monitoring? |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Jul 19, 2012 9:51 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Thank you Vitor and mqjeff for your replies.
Vitor - I did not see a link that discussed capturing info from a failed connection attempt. Since the failed connection attempt generated an AMQ4036, and a failed “clear” generated the same AMQ4036, I logically thought that I would see an event from the failed connection attempt. This would be nice, especially if it showed the IP in the event message, but perhaps this is not true.
Mqjeff – authorev is enabled and I am monitoring the SYSTEM.ADMIN.QMGR.EVENT queue. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 19, 2012 9:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Jul 19, 2012 10:00 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Thank you mqjeff. It does make sense to turn on channel events and monitor the SYSTEM.ADMIN.CHANNEL.EVENT.
Thanks for pointing me in the right direction! |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Jul 19, 2012 10:26 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
I enabled the channel events and then tried two connects via MQ Explorer, and one "put" using the sample MQ Client. Three events were written to the SYSTEM.ADMIN.CHANNEL.EVENT queue but the feedback from MH05 does not explicitly describe the events.
Is there a better way to log failed IP connection attempts?
alter qmgr CHLEV (ENABLED)
...
Xmqdspev v1.0 - Developed by Oliver Fisse (ISSW)
Connected to queue manager 'QMGR.TEST4'
Processing EVENT queue 'SYSTEM.ADMIN.CHANNEL.EVENT'...
-------------------------------------------------------[07/19/2012-14:09:13]----
MQCFH (PCF Header) reason code unknown!
Message is probably not an event message.
-------------------------------------------------------[07/19/2012-14:11:39]----
MQCFH (PCF Header) reason code unknown!
Message is probably not an event message.
-------------------------------------------------------[07/19/2012-14:15:29]----
MQCFH (PCF Header) reason code unknown!
Message is probably not an event message.
3 event messages processed.
Disconnected from queue manager 'QMGR.TEST4'
Xmqdspev v1.0 ended. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 19, 2012 10:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Sounds like MH05 is not updated to cover these events. |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Jul 19, 2012 11:49 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
With MQ Explorer the message content in the SYSTEM.ADMIN.CHANNEL.EVENT is a just dollar sign per message (not sure why), but with amqsbcg I see that the IP (edited below to 10.9.99.9999) is listed in the text of the chlev event message. This is good news...
/opt/mqm/samp/bin
./amqsbcg SYSTEM.ADMIN.CHANNEL.EVENT QMGR.TEST4
'....$...........'
'................'
'........ .......'
'........QMGR.TES'
'T4...... .......'
'........10.9.99.'
'999.............'
'........$.......'
'.............MY.'
'CHANNEL..... ...'
'............user'
'id_here.....0...'
'............WebS'
'phere MQ Client '
'for Java........'
'........ ' |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 19, 2012 11:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rickwatsonb wrote: |
| With MQ Explorer the message content in the SYSTEM.ADMIN.CHANNEL.EVENT is a just dollar sign per message (not sure why) |
Because whatever the underlying hex is at that point it displays as '$'. I doubt all those '.' are really the hex value for '.' but some value for which there is no displayable character in whatever code page you're running MQX.
| rickwatsonb wrote: |
| with amqsbcg I see that the IP (edited below to 10.9.99.9999) is listed in the text of the chlev event message |
The amqsbcg sample can show the actual content of the message and is frequently more useful for that reason.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 19, 2012 2:31 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I suspect MS0P, recently updated, will likely provide you some decent visualization of the contents of these events.
I've not tried it, nor poked at the docu on it... but the author's a good bloke who tends to know what he's doing in these matters. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Jul 20, 2012 1:34 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| mqjeff wrote: |
| but the author's a good bloke who tends to know what he's doing in these matters. |
LOL!
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
|
|
