[sslh] Systemd configuration

Eamon Doyle eamon at cornercase.net
Tue Mar 27 21:27:00 UTC 2018 

Hi all.  I’m trying to get sslh running on Debian 9.3 using the standard
Debian sslh package (sslh -V = sslh-fork 1.18-1) with systemd.  I can run
sslh just fine by issuing a terminal command to get it running but if I try
to start it with systemctl, it always fails and systemd gives me an exit
status of 213/SECUREBITS for the main process.  I’m really not sure what
I’m doing wrong.  If anyone can point me in the right direction, that would
be much appreciated.


My configs are as follows:

/etc/sslh/sslh.cfg

    verbose: true;
    foreground: true;
    inetd: false;
    numeric: false;
    transparent: false;
    timeout: "2";
    user: "sslh";
    #pidfile: "/var/run/sslh.pid";
    #chroot: "/var/empty";


    # Change hostname with your external address name.
    listen:
    (
        { host: "192.168.12.13"; port: "443"; }
    );

    protocols:
    (
    { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
    #{ name: "openvpn"; host: "localhost"; port: "1194"; },
    #{ name: "xmpp"; host: "localhost"; port: "5222"; },
    #{ name: "http"; host: "localhost"; port: "80"; },
    { name: "ssl"; host: "localhost"; port: "444"; log_level: 0; },
    );

/etc/default/sslh

    DAEMON_OPTS="--listen 192.168.12.13:443 --ssh 127.0.0.1:22 --ssl
127.0.0.1:444"

/etc/systemd/system/sslh.service.d/override.conf

    [Service]
    # Replace the start command and make it use sslh-select
  ExecStart=
    ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS

    # Run sslh as an user and use capabilities to bind ports
    User=sslh
    # Systemd 229
    # AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
    # Systemd 228 and bellow
    SecureBits=keep-caps
    Capabilities=cap_net_bind_service,cap_net_admin+pie

    # Limit access
    PrivateTmp=true
    PrivateDevices=true
    ProtectSystem=full
    ProtectHome=true

    # Set routing rules automaticaly on script start
    PermissionsStartOnly=true

    # Check for mark 0x4155 (set by nftables) and forward packet to table 0x4155
    ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup 0x4155
    ExecStopPost=/sbin/ip rule del fwmark 0x4155

    # Table 0x4155 to route all packets back to loopback interface
    ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 0x4155
    ExecStopPost=/sbin/ip route del table 0x4155

Output of systemctl status sslh.server

        sslh.service - SSL/SSH multiplexer
   Loaded: loaded (/lib/systemd/system/sslh.service; enabled; vendor
preset: enabled)
  Drop-In: /etc/systemd/system/sslh.service.d
           └─override.conf
   Active: failed (Result: exit-code) since Tue 2018-03-27 16:17:44
CDT; 911ms ago
     Docs: man:sslh(8)
  Process: 15386 ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev
lo table 0x4155 (code=exited, status=2)
  Process: 15385 ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup
0x4155 (code=exited, status=0/SUCCESS)
 Main PID: 11239 (code=exited, status=213/SECUREBITS)

Mar 27 16:17:44 homedeb systemd[1]: Starting SSL/SSH multiplexer...
Mar 27 16:17:44 homedeb ip[15386]: RTNETLINK answers: File exists
Mar 27 16:17:44 homedeb systemd[1]: sslh.service: Control process
exited, code=exited status=2
Mar 27 16:17:44 homedeb systemd[1]: Failed to start SSL/SSH multiplexer.
Mar 27 16:17:44 homedeb systemd[1]: sslh.service: Unit entered failed state.
Mar 27 16:17:44 homedeb systemd[1]: sslh.service: Failed with result
'exit-code'.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20180327/8d437fbd/attachment.html>

More information about the sslh mailing list