Comments (14)
I think I solved this. You completely overlooked the blatantly commented "documentation" in the service file to begin with. Lets take a look at it again. Around the middle there are these lines.
## If you want Endlessh to bind on ports < 1024
## 1) run:
## setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
## 2) uncomment following line
#AmbientCapabilities=CAP_NET_BIND_SERVICE
## 3) comment following line
PrivateUsers=true
Well it blatantly tells us what do do right here. Edit the service with sudo nano /etc/systemd/system/endlessh.service
. Uncomment the AmbientCapabilities
line. Comment out the PrivateUsers
line, save the file, and run setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
. Now we can set Port 22
in the sudo nano /etc/endlessh/config
. Then restart the service sudo systemctl daemon-reload && sudo systemctl restart endlessh.service
. Now when checking the status with sudo systemctl status endlessh.service
it shows its running fine.
from endlessh.
For anyone else running Debian wondering how to apply the directions above, I got it working after changing a few paths.
setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh
sed -i 's|#AmbientCapabilities|AmbientCapabilities|g' /lib/systemd/system/endlessh.service
sed -i 's|PrivateUsers|#PrivateUsers|g' /lib/systemd/system/endlessh.service
systemctl daemon-reload
systemctl restart endlessh.service
systemctl status endlessh.service
The service unit location was throwing me off for a bit, but the changes above resulted in:
> systemctl status endlessh.service
● endlessh.service - Endlessh SSH Tarpit
Loaded: loaded (/lib/systemd/system/endlessh.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2022-04-02 16:32:39 PDT; 5s ago
Docs: man:endlessh(1)
Main PID: 2013 (endlessh)
Tasks: 1 (limit: 2340)
Memory: 184.0K
CPU: 25ms
CGroup: /system.slice/endlessh.service
└─2013 /usr/bin/endlessh
Apr 02 16:32:39 - systemd[1]: Started Endlessh SSH Tarpit.
from endlessh.
I found that I didn't need to run the setcap
command to fix the issue. It seems a bit dirty and I'm not sure if it would also be overridden on package updates.
from endlessh.
from endlessh.
Could this be caused by SELinux being active?
Maybe /usr/bin/endlessh
needs the same SELinux security context as /usr/sbin/sshd
?
from endlessh.
I think I found the reason but do not have a solution. I'm using Ubuntu thus there is no SELinux and the systemd service still won't start on any port < 1024.
systemctl edit endlessh.service
And adding
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
should do the trick but doesn't.
from endlessh.
After doing
echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
sysctl --system
and rebooting my system EndleSSH starts on boot on port 22.
from endlessh.
Can confirm, it worked using the instructions in the service file. Also didn't look into the service file 🙈
from endlessh.
I can confirm that the following comment by @Directory solved endlessh setup for me after installing the debian package.
That said, it would be nice if the default endlessh port was 22, not really much point in setting it as a non-default port IMHO. If this package could become a standard server security hardening method I think this could really serve as a deterrent to casual port scanning.
I think I solved this. You completely overlooked the blatantly commented "documentation" in the service file to begin with. Lets take a look at it again. Around the middle there are these lines.
## If you want Endlessh to bind on ports < 1024 ## 1) run: ## setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh ## 2) uncomment following line #AmbientCapabilities=CAP_NET_BIND_SERVICE ## 3) comment following line PrivateUsers=true
Well it blatantly tells us what do do right here. Edit the service with
sudo nano /etc/systemd/system/endlessh.service
. Uncomment theAmbientCapabilities
line. Comment out thePrivateUsers
line, save the file, and runsetcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
. Now we can setPort 22
in thesudo nano /etc/endlessh/config
. Then restart the servicesudo systemctl daemon-reload && sudo systemctl restart endlessh.service
. Now when checking the status withsudo systemctl status endlessh.service
it shows its running fine.
from endlessh.
What is missing in the docs that the daemon needs to be reloaded
from endlessh.
I get this error
" Failed to set capabilities on file `/usr/local/bin/endlessh' (Invalid argument) The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file"
ubuntu server 20.04
from endlessh.
@Pickled-Aries-75 did you remember to run cap_net_bind_service=+ep' /usr/local/bin/endlessh
- It's working on Ubuntu LTS for me following the doc above
from endlessh.
@Mist-Hunter , don't edit the file in /lib. That file can be overwritten on package updates. Either use "systemctl edit" or copy the systemd unit file to /etc/systemd/system and edit the copy. Using systemctl edit you can create a "drop-in" file in /etc that overrides just the settings you want to change, so that changes in the distribution unit file will be picked up when you update and your overrides will be applied to the new unit file. https://flatcar-linux.org/docs/latest/setup/systemd/drop-in-units/
from endlessh.
By this instruction I make it works on Debian 11 on 22 port
- Run this command
setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh
- Edit service
systemctl edit endlessh.service
Add these strings after ### Anything between here and the comment below will become the new contents of the file
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
PrivateUsers=false
Like this
### Editing /etc/systemd/system/endlessh.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
PrivateUsers=false
### Lines below this comment will be discarded
- Reload config
systemctl daemon-reload
- Finally trying to restart the service
systemctl restart endlessh.service && systemctl status endlessh.service
from endlessh.
Related Issues (20)
- Unable to make on Ubuntu 18 LTS HOT 5
- Systemd won't start HOT 3
- Adding a man page for the endlessh.conf options
- Log in local timezone HOT 3
- InaccessiblePaths=/run /var makes systemd service not start on Raspberry pi HOT 1
- Is it possible to run it on Debian 9?
- (code=exited, status=1/FAILURE) HOT 19
- no config after installing with apt HOT 5
- CentOS 8, not possible to autostart enablessh HOT 3
- [announcement] Multi-arch docker image by linuxserver.io released HOT 1
- can't start endlessh service "Failed at step NAMESPACE" HOT 3
- Logging - where? HOT 2
- Random message delay?
- Why not set a non-privileged user in systemd unit file? HOT 5
- Request for Pacstall Support HOT 1
- TCP v4 is not default HOT 2
- need way to define IP to bind/listen to. Port= is not sufficent HOT 2
- USR1 should output stats regardless of LogLevel
- setcap 'cap_net_bind_service=+ep' does not work HOT 1
- [Feature]: Add option to upload IP addresses to aggregators like AbuseIPDB
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from endlessh.