Bug#1138682: reportbug: sslh fails to open /etc/hosts.allow and /etc/hosts.deny

Tue, 02 Jun 2026 02:17:16 -0700 

Package: sslh
Version: 2.1.4-1+b1
Severity: important
Tags: upstream

Dear maintainer,

I use sslh to have both, HTTPs and SSH on one port.
I also monitor the network to detect suspicious requests and I use other 
services to regularly update my /etc/hosts.deny.
This file is owned by user/group root and uses 0644 as access rights:

-rw-r--r-- 1 root root 723080 Jun  2 08:57 /etc/hosts.deny

Since I upgraded to Trixie, sslh fails to perform its job due to:

   warning: cannot open /etc/hosts.deny: Permission denied

For now, I fixed it by adding the following /etc/apparmor.d/usr.sbin.sslh:

------------- 8< -------------------------------------------
#include <tunables/global>

profile named /usr/sbin/sslh flags=(attach_disconnected) {
  #include <abstractions/hosts>
}
------------- 8< -------------------------------------------

I think the same problem is documented upstream:

   https://github.com/yrutschle/sslh/issues/450

I assume the sslh package should either include a similar apparmor config or 
(better) upgrade to a upstream version that fixes the bug.

-- System Information:
Debian Release: 13.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.90+deb13.1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sslh depends on:
ii  adduser              3.152
ii  debconf              1.5.91
ii  init-system-helpers  1.69~deb13u1
ii  libc6                2.41-12+deb13u3
ii  libcap2              1:2.75-10+deb13u1+b1
ii  libconfig11          1.7.3-2
ii  libev4t64            1:4.33-2.1+b1
ii  libpcre2-8-0         10.46-1~deb13u1
ii  libsystemd0          257.13-1~deb13u1
ii  libwrap0             7.6.q-36
ii  update-inetd         4.53

Versions of packages sslh recommends:
ii  apache2 [httpd]              2.4.67-1~deb13u2
ii  openssh-server [ssh-server]  1:10.0p1-7+deb13u4

Versions of packages sslh suggests:
ii  openbsd-inetd [inet-superserver]  0.20221205-3+b2

-- Configuration Files:
/etc/default/sslh changed:
DAEMON=/usr/sbin/sslh
DAEMON_OPTS="--user sslh --pidfile /var/run/sslh/sslh.pid --config 
/etc/sslh/sslh.cfg"


-- debconf information:
* sslh/inetd_or_standalone: standalone

Reply via email to