#1138682 reportbug: sslh fails to open /etc/hosts.allow and /etc/hosts.deny

Package:
sslh
Source:
sslh
Description:
Applicative protocol multiplexer
Submitter:
Daniel Höpfl
Date:
2026-06-25 17:37:07 UTC
Severity:
normal
Tags:
#1138682#5
Date:
2026-06-02 09:07:01 UTC
From:
To:
Dear maintainer,

I use sslh to have both, HTTPs and SSH on one port.
I also monitor the network to detect suspicious requests and I use other services to regularly update my /etc/hosts.deny.
This file is owned by user/group root and uses 0644 as access rights:
------------- 8< -------------------------------------------
#include <tunables/global>

profile named /usr/sbin/sslh flags=(attach_disconnected) {
  #include <abstractions/hosts>
}
------------- 8< -------------------------------------------

I think the same problem is documented upstream:

https://github.com/yrutschle/sslh/issues/450

I assume the sslh package should either include a similar apparmor config or (better) upgrade to a upstream version that fixes the bug.

#1138682#10
Date:
2026-06-12 20:11:35 UTC
From:
To:
Dear maintainer,

minor update: The apparmor config I included in the original message was not working.
I currently use
------------- 8< ------------------------------------------- include <tunables/global> profile sslh /usr/sbin/sslh flags=(attach_disconnected, complain) { include <abstractions/base> include <abstractions/nameservice-strict> include <abstractions/hosts_access> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, /usr/sbin/sslh pix, network tcp, unix (send) type=stream, @{etc_ro}/hosts.deny r, @{etc_ro}/hosts.allow r, @{etc_ro}/sslh/** r, owner @{run}/sslh/sslh.pid rw, } ------------- 8< ------------------------------------------- Using this, I see no complains in the log. However, after a few hours, sslh stops to accept ssh connections. I see in the log: Calling `tcpdmatch ssl CLIENT_IPADDRESS` shows it is granted. The log seems normal, the only message that stands out is: (I actually noticed that it no longer works at about 17:35, it did work at some time between 13:00 and 16:37) After restarting sslh, it immediately works again, until it breaks a few hours later. As reference, here’s my config (IP addresses redacted): ------------- 8< ------------------------------------------- # SSLH configuration # NOTE: The following values are overridden by the start script! # # foreground: true; # inetd: false; # user: "sslh"; # pidfile: "/var/run/sslh/sslh.pid"; # Custom config follows # Do not resolve hostnames. numeric: true; # verbose-connections: 3; verbose-connections: 9; verbose-config-error: 9; verbose-connections-try: 9; verbose-connections-error: 9; verbose-fd: 9; verbose-probe-info: 9; verbose-probe-error: 9; verbose-system-error: 9; verbose-int-error: 9; listen: ( { host: "PUBLIC_IPv4"; port: "443"; } ); protocols: ( # That's why we are here ... { name: "ssh"; service: "ssh"; host: "PUBLIC_IPv4"; port: "22"; keepalive: true; tfo_ok: true; log_level: 1; }, # TLS is forwarded to HTTPs (could be something else but we do not care). { name: "tls"; host: "127.0.0.1"; port: "443"; log_level: 0; }, # On timeout, forward to HTTPs. { name: "timeout"; host: "127.0.0.1"; port: "443"; } ); ------------- 8< ------------------------------------------- HTH, Daniel
#1138682#15
Date:
2026-06-18 12:55:51 UTC
From:
To:
Dear maintainer,

sorry to add another update:

The log messages that I saw seem to be unrelated.
I found the trigger that breaks the service: A cronjob that updates the /etc/hosts.deny file.

I can reproduce the problem by running (as root):

   cp /etc/hosts.deny xxx; chmod 0644 xxx; mv xxx /etc/hosts.deny

Currently, I do not know how to actually fix this (the workaround is to restart sslh after updating the hosts.deny file).

However, my initial report is still valid: With apparmor enabled (seems to be default), sslh does not work at all for me.

My current /etc/apparmor.d/usr.sbin.sslh is as follows:
------------- 8< ------------------------------------------- include <tunables/global> profile sslh /usr/sbin/sslh flags=(attach_disconnected, complain) { include <abstractions/base> include <abstractions/nameservice-strict> include <abstractions/hosts_access> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, /usr/sbin/sslh pix, network tcp, unix (send) type=stream, @{etc_ro}/sslh/** r, owner @{run}/sslh/sslh.pid rw, } ------------- 8< ------------------------------------------- Bye, Daniel
#1138682#18
Date:
2026-06-19 15:15:11 UTC
From:
To:
On Tue, 02 Jun 2026, Daniel Höpfl wrote:n

As you point out, this is upstream
https://github.com/yrutschle/sslh/issues/450 which is fixed in 2.3.1.

It's not the apparmor config; it's the landlock(7) configuration of the
executable which restricts sslh from reading /etc/hosts.{allow,deny}.

I suspect the fact that this works at all initially is because libwrap
is reading those files before the landlock configuration is enforced on
the executable.

In any event, this will be addressed as soon as I finish updating sslh.