Closed dm9bbadd4 closed 5 months ago
ftasnetamot
commented
5 months ago some more informations? How do you start sslh, start as root and drop privileges or start as restricted user? How do the access rights to those file look like? In all systems I know, they look like 644 and are owned by root:root Do you have additional services running like apparmor, selinux?
dm9bbadd4
commented
5 months ago It runs as its own user sslh from the sslh.cfg. Both files have the standard 644 permission as well as being owned by root:root. I have apparmor running, could that be what's it?
ftasnetamot
commented
5 months ago Of course! you need to add an apparmor profile for sslh, where you explicitly allow read access to those files. Depends on your distro, where those things are located, but the snippet will look like:
#include <tunables/global>
/path/to/application {
[...]
/etc/hosts.allow r
/etc/hosts.deny r
/etc/localtime r
}It can happen, that you need to add more rights, when sslh will continue over those failing steps. But that depends, how strict your overall setting is. When you are starting this from the sslh user directly, the sslh binary needs to have cap_net_bind_service permission also, to bind to ports lower 1024! If you wish to use transparent mode, you need also cap_net_raw+ep.
ftasnetamot
commented
5 months ago Additional warning: If you post error logs like your strace, be sure, that no private data, like here your client ip address is in there.
Its a risk, to post logs/error-messages from applications, where you might have misconfigurations. I don't think, thats the case here, but you must have always in mind, that you may post a serious security problem of your configuration, unfriendly people might abuse.
I saw this, when I had another look to your strace file. Your application is listening already on port 443, the right capabilities are there. The start-sequence looks different than mine. I assume, that you run it from systemd socket or inetd.
dm9bbadd4
commented
5 months ago So I made a profile for sslh in Apparmor but it's silently throwing that error now and I'm only seeing it in the strace. SSH to my public ip + port 443 still doesn't work. I've given it all the relevant permissions in Apparmor. Also seeing a weird error about it not being able to open /dev/console? My sslh install was perfectly find until I upgraded my Ubuntu distro to LTS 24 so that's probably the main reason
dm9bbadd4
commented
5 months ago Reverted my sslh binary to 2.0.1 (I was using 2.1.2) and now it's working correctly. I think this may be a landlock issue
yrutschle
commented
5 months ago Ah yes, sslh locks itself out of these files. I'll correct this tomorrow.
16 juin 2024 00:02:37 dm9bbadd4 @.***>:
Reverted my sslh binary to 2.0.1 (I was using 2.1.2) and now it's working correctly. I think this may be a landlock issue
— Reply to this email directly, view it on GitHub[https://github.com/yrutschle/sslh/issues/450#issuecomment-2170938572], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ABGAU76EVQG5ZFQJF6TV3ALZHS2XVAVCNFSM6AAAAABJFEMXWGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZQHEZTQNJXGI]. You are receiving this because you are subscribed to this thread. [Image de pistage][https://github.com/notifications/beacon/ABGAU74O2QSHCUV2HS3RU5TZHS2XVA5CNFSM6AAAAABJFEMXWGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUBMXSMY.gif]
yrutschle
commented
5 months ago please reopen if the commit doesn't work, or confirm it it's ok (I'll create a patch release).
Whenever I try to SSH to my server using the public IP and port 443, SSLH throws this error
warning: cannot open /etc/hosts.allow: Permission deniedwarning: cannot open /etc/hosts.deny: Permission deniedand I'm unable to connect. Web services I have behind SSLH also on that port route fineI did an strace of this
Strace
```epoll_wait(5, [{events=EPOLLIN, data={u32=3, u64=4294967299}}], 64, 59743) = 1 accept(3, NULL, NULL) = 13 fcntl(13, F_GETFL) = 0x2 (flags O_RDWR) fcntl(13, F_SETFL, O_RDWR|O_NONBLOCK) = 0 epoll_ctl(5, EPOLL_CTL_ADD, 13, {events=EPOLLIN, data={u32=13, u64=4294967309}}) = 0 epoll_wait(5, [{events=EPOLLIN, data={u32=13, u64=4294967309}}], 64, 59743) = 1 read(13, "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ub"..., 8192) = 41 getpeername(13, {sa_family=AF_INET, sin_port=htons(51878), sin_addr=inet_addr("[publicip]")}, [128 => 16]) = 0 newfstatat(AT_FDCWD, "/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=937, ...}, 0) = 0 newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=510, ...}, 0) = 0 openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 14 fstat(14, {st_mode=S_IFREG|0644, st_size=227, ...}) = 0 lseek(14, 0, SEEK_SET) = 0 read(14, "127.0.0.1 localhost\n127.0.1.1 bi"..., 4096) = 227 read(14, "", 4096) = 0 close(14) = 0 socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 14 setsockopt(14, SOL_IP, IP_RECVERR, [1], 4) = 0 connect(14, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("1.1.1.1")}, 16) = 0 poll([{fd=14, events=POLLOUT}], 1, 0) = 1 ([{fd=14, revents=POLLOUT}]) sendto(14, "\27\210\1\0\0\1\0\0\0\0\0\0\003158\00218\003203\284\7in-ad"..., 44, MSG_NOSIGNAL, NULL, 0) = 44 poll([{fd=14, events=POLLIN}], 1, 5000) = 1 ([{fd=14, revents=POLLIN}]) ioctl(14, FIONREAD, [95]) = 0 recvfrom(14, "\27\210\201\200\0\1\0\1\0\0\0\0\003158\00218\003203\284\7in-ad"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("1.1.1.1")}, [28 => 16]) = 95 close(14) = 0 getpid() = 51005 openat(AT_FDCWD, "/etc/hosts.allow", O_RDONLY) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 14 connect(14, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0 sendto(14, "<35>Jun 11 21:41:47 sslh[51005]:"..., 89, MSG_NOSIGNAL, NULL, 0) = 89 openat(AT_FDCWD, "/etc/hosts.deny", O_RDONLY) = -1 EACCES (Permission denied) sendto(14, "<35>Jun 11 21:41:47 sslh[51005]:"..., 88, MSG_NOSIGNAL, NULL, 0) = 88 write(2, "connection from ip-84-203-18-158"..., 83) = 83 sendto(14, "<38>Jun 11 21:41:47 sslh[51005]:"..., 116, MSG_NOSIGNAL, NULL, 0) = 116 close(13) = 0 close(13) = -1 EBADF (Bad file descriptor) epoll_wait(5, ```