Unable to start endlessh on port 22 about endlessh HOT 14 OPEN

I think I solved this. You completely overlooked the blatantly commented "documentation" in the service file to begin with. Lets take a look at it again. Around the middle there are these lines.

## If you want Endlessh to bind on ports < 1024
## 1) run:
##     setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
## 2) uncomment following line
#AmbientCapabilities=CAP_NET_BIND_SERVICE
## 3) comment following line
PrivateUsers=true

Well it blatantly tells us what do do right here. Edit the service with sudo nano /etc/systemd/system/endlessh.service. Uncomment the AmbientCapabilities line. Comment out the PrivateUsers line, save the file, and run setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh. Now we can set Port 22 in the sudo nano /etc/endlessh/config. Then restart the service sudo systemctl daemon-reload && sudo systemctl restart endlessh.service. Now when checking the status with sudo systemctl status endlessh.service it shows its running fine.

from endlessh.

For anyone else running Debian wondering how to apply the directions above, I got it working after changing a few paths.

setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh
sed -i 's|#AmbientCapabilities|AmbientCapabilities|g' /lib/systemd/system/endlessh.service
sed -i 's|PrivateUsers|#PrivateUsers|g' /lib/systemd/system/endlessh.service
systemctl daemon-reload
systemctl restart endlessh.service
systemctl status endlessh.service

The service unit location was throwing me off for a bit, but the changes above resulted in:

> systemctl status endlessh.service
● endlessh.service - Endlessh SSH Tarpit
     Loaded: loaded (/lib/systemd/system/endlessh.service; disabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-04-02 16:32:39 PDT; 5s ago
       Docs: man:endlessh(1)
   Main PID: 2013 (endlessh)
      Tasks: 1 (limit: 2340)
     Memory: 184.0K
        CPU: 25ms
     CGroup: /system.slice/endlessh.service
             └─2013 /usr/bin/endlessh

Apr 02 16:32:39 - systemd[1]: Started Endlessh SSH Tarpit.

from endlessh.

I found that I didn't need to run the setcap command to fix the issue. It seems a bit dirty and I'm not sure if it would also be overridden on package updates.

from endlessh.

from endlessh.

Could this be caused by SELinux being active?
Maybe /usr/bin/endlessh needs the same SELinux security context as /usr/sbin/sshd?

from endlessh.

I think I found the reason but do not have a solution. I'm using Ubuntu thus there is no SELinux and the systemd service still won't start on any port < 1024.

systemctl edit endlessh.service

And adding

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

should do the trick but doesn't.

from endlessh.

After doing

echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
sysctl --system

and rebooting my system EndleSSH starts on boot on port 22.

from endlessh.

Can confirm, it worked using the instructions in the service file. Also didn't look into the service file 🙈

from endlessh.

I can confirm that the following comment by @Directory solved endlessh setup for me after installing the debian package.

That said, it would be nice if the default endlessh port was 22, not really much point in setting it as a non-default port IMHO. If this package could become a standard server security hardening method I think this could really serve as a deterrent to casual port scanning.

I think I solved this. You completely overlooked the blatantly commented "documentation" in the service file to begin with. Lets take a look at it again. Around the middle there are these lines.

## If you want Endlessh to bind on ports < 1024
## 1) run:
##     setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh
## 2) uncomment following line
#AmbientCapabilities=CAP_NET_BIND_SERVICE
## 3) comment following line
PrivateUsers=true

Well it blatantly tells us what do do right here. Edit the service with sudo nano /etc/systemd/system/endlessh.service. Uncomment the AmbientCapabilities line. Comment out the PrivateUsers line, save the file, and run setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh. Now we can set Port 22 in the sudo nano /etc/endlessh/config. Then restart the service sudo systemctl daemon-reload && sudo systemctl restart endlessh.service. Now when checking the status with sudo systemctl status endlessh.service it shows its running fine.

from endlessh.

What is missing in the docs that the daemon needs to be reloaded

from endlessh.

I get this error
" Failed to set capabilities on file `/usr/local/bin/endlessh' (Invalid argument) The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file"
ubuntu server 20.04

from endlessh.

@Pickled-Aries-75 did you remember to run cap_net_bind_service=+ep' /usr/local/bin/endlessh - It's working on Ubuntu LTS for me following the doc above

from endlessh.

@Mist-Hunter , don't edit the file in /lib. That file can be overwritten on package updates. Either use "systemctl edit" or copy the systemd unit file to /etc/systemd/system and edit the copy. Using systemctl edit you can create a "drop-in" file in /etc that overrides just the settings you want to change, so that changes in the distribution unit file will be picked up when you update and your overrides will be applied to the new unit file. https://flatcar-linux.org/docs/latest/setup/systemd/drop-in-units/

from endlessh.

By this instruction I make it works on Debian 11 on 22 port

1. Run this command
   setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh
2. Edit service
   systemctl edit endlessh.service
   Add these strings after ### Anything between here and the comment below will become the new contents of the file

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
PrivateUsers=false

Like this

### Editing /etc/systemd/system/endlessh.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
PrivateUsers=false

### Lines below this comment will be discarded

3. Reload config
   systemctl daemon-reload
4. Finally trying to restart the service
   systemctl restart endlessh.service && systemctl status endlessh.service

from endlessh.