proxy issueshttps://gitlab.nic.cz/haas/proxy/-/issues2022-01-20T22:53:22+01:00https://gitlab.nic.cz/haas/proxy/-/issues/19Cant connect to proxy2022-01-20T22:53:22+01:00Martin PrudekCant connect to proxyThe proxy replies for connection request with `ssh_exchange_identification: Connection closed by remote host` while the following line appears in the log:
```
haas-proxy-start[5351]: 2020-08-06T15:40:57 CRITICAL twisted 'channel open fai...The proxy replies for connection request with `ssh_exchange_identification: Connection closed by remote host` while the following line appears in the log:
```
haas-proxy-start[5351]: 2020-08-06T15:40:57 CRITICAL twisted 'channel open failed, direct-tcpip is not allowed'
```
Unfortunately I was not yet able to reproduce the bug on different device.https://gitlab.nic.cz/haas/proxy/-/issues/11HP disclosure - "Connection to haas-app.nic.cz closed."2019-03-11T17:04:26+01:00Martin KuncHP disclosure - "Connection to haas-app.nic.cz closed."When closing connection to proxy (attackers view) connection spits out "Connection to haas-app.nic.cz closed."
![Screenshot_from_2019-01-02_10-28-44](/uploads/e2b3e4ac95c714680057c83d4f96c754/Screenshot_from_2019-01-02_10-28-44.png)When closing connection to proxy (attackers view) connection spits out "Connection to haas-app.nic.cz closed."
![Screenshot_from_2019-01-02_10-28-44](/uploads/e2b3e4ac95c714680057c83d4f96c754/Screenshot_from_2019-01-02_10-28-44.png)https://gitlab.nic.cz/haas/proxy/-/issues/17finish publishing version 2.02023-09-22T12:02:44+02:00Štěpán Henekfinish publishing version 2.0* [ ] pypi.org
* [ ] offical cznic repos (fedora, suse, ubuntu)
* [ ] update the web pages (release + include the logging changes)
Might be a good idea to ask guys from knot team what is their workflow and whether we could unite the eff...* [ ] pypi.org
* [ ] offical cznic repos (fedora, suse, ubuntu)
* [ ] update the web pages (release + include the logging changes)
Might be a good idea to ask guys from knot team what is their workflow and whether we could unite the effort.
see https://www.knot-resolver.cz/download/https://gitlab.nic.cz/haas/proxy/-/issues/15SSH Crypto issues on CentOS 82020-04-19T15:51:36+02:00fueroSSH Crypto issues on CentOS 8I've tried this on CentOS 8.
```bash
# cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)
```
I've used this RPM (`python-haas_proxy.spec`) to compile and install:
```spec
%global srcname haas_proxy
Name: ...I've tried this on CentOS 8.
```bash
# cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)
```
I've used this RPM (`python-haas_proxy.spec`) to compile and install:
```spec
%global srcname haas_proxy
Name: python-%{srcname}
Version: 1.9
Release: 1%{?dist}
Summary: Redirects SSH traffic to Honeypot as a Service (HaaS) by cz.nic
License: GPLv3
URL: https://gitlab.labs.nic.cz/haas/proxy
Source0: %{url}/-/archive/master/proxy-master.tar.gz
Source1: %{srcname}.service
Source2: %{srcname}.sysconfig
BuildArch: noarch
BuildRequires: systemd
%description
%summary
%package -n python3-%{srcname}
Summary: %{summary}
BuildRequires: python3-devel
BuildRequires: %{py3_dist bcrypt}
BuildRequires: %{py3_dist cffi}
BuildRequires: %{py3_dist pyOpenSSL}
BuildRequires: %{py3_dist pytest}
BuildRequires: %{py3_dist twisted}
BuildRequires: %{py3_dist cachetools}
Requires: %{py3_dist bcrypt}
Requires: %{py3_dist cffi}
Requires: %{py3_dist pyOpenSSL}
Requires: %{py3_dist pytest}
Requires: %{py3_dist twisted}
Requires: %{py3_dist cachetools}
%{?python_provide:%python_provide python3-%{srcname}}
%description -n python3-%{srcname}
%summary - python3 version
%prep
%autosetup -n proxy-master
%build
%py3_build
%install
%py3_install
install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/python3-%{srcname}.service
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/python3-%{srcname}
%check
python3 -m pytest test_haas_proxy.py
%files -n python3-%{srcname}
%license LICENSE
%doc README.md CHANGELOG.txt
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}/
%{_unitdir}/python3-%{srcname}.service
%{_sysconfdir}/sysconfig/python3-%{srcname}
%changelog
* Sun Apr 19 2020 fuero - 1.9-1
- initial packaging
```
haas_proxy.systemd
```
[Unit]
Description=HaaS proxy daemon for SSH, python3
After=syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/python3-haas_proxy
ExecStart=/usr/bin/python3 -m haas_proxy --nodaemon haas_proxy --device-token $DEVICE_TOKEN
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
```
haas_proxy.sysconfig
```
DEVICE_TOKEN=<your_device_token>
```
When connecting to it, I get this:
```
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [-] Unable to write to plugin cache /usr/lib/python3.6/site-packages/haas_proxy/twisted/plugins/dropin.cache: error number 30
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 19.10.0 (/usr/bin/python3 3.6.8) starting up.
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [-] ProxySSHFactory starting on 2222
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [haas_proxy.proxy.ProxySSHFactory#info] Starting factory <haas_proxy.proxy.ProxySSHFactory object at 0x7f85760ce438>
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [haas_proxy.proxy.ProxySSHFactory] disabling non-fixed-group key exchange algorithms because we cannot find moduli file
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] kex alg, key alg: b'ecdh-sha2-nistp256' b'ssh-rsa'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] outgoing: b'aes256-ctr' b'hmac-sha2-256' b'none'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] incoming: b'aes256-ctr' b'hmac-sha2-256' b'none'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] Unhandled Error
Apr 19 15:33:42 router python3[23278]: Traceback (most recent call last):
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/log.py", line 103, in callWithLogger
Apr 19 15:33:42 router python3[23278]: return callWithContext({"system": lp}, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/log.py", line 86, in callWithContext
Apr 19 15:33:42 router python3[23278]: return context.call({ILogContext: newCtx}, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/context.py", line 122, in callWithContext
Apr 19 15:33:42 router python3[23278]: return self.currentContext().callWithContext(ctx, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/context.py", line 85, in callWithContext
Apr 19 15:33:42 router python3[23278]: return func(*args,**kw)
Apr 19 15:33:42 router python3[23278]: --- <exception caught here> ---
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
Apr 19 15:33:42 router python3[23278]: why = selectable.doRead()
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/tcp.py", line 243, in doRead
Apr 19 15:33:42 router python3[23278]: return self._dataReceived(data)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
Apr 19 15:33:42 router python3[23278]: rval = self.protocol.dataReceived(data)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 703, in dataReceived
Apr 19 15:33:42 router python3[23278]: self.dispatchMessage(messageNum, packet[1:])
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 721, in dispatchMessage
Apr 19 15:33:42 router python3[23278]: f(payload)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 1405, in ssh_KEX_DH_GEX_REQUEST_OLD
Apr 19 15:33:42 router python3[23278]: return self._ssh_KEX_ECDH_INIT(packet)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 1300, in _ssh_KEX_ECDH_INIT
Apr 19 15:33:42 router python3[23278]: serialization.Encoding.X962,
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/enum.py", line 326, in __getattr__
Apr 19 15:33:42 router python3[23278]: raise AttributeError(name) from None
Apr 19 15:33:42 router python3[23278]: builtins.AttributeError: X962
Apr 19 15:33:42 router python3[23278]:
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] connection lost
```
Seems to me it has problems with `sshd`'s crypto settings on CentOS 8.
Here's how `sshd` is invoked (due to crypto-policies, DEFAULT profile):
```
/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
```https://gitlab.nic.cz/haas/proxy/-/issues/10High CPU usage while proxy running2019-01-31T15:12:24+01:00Michal MladekHigh CPU usage while proxy runningUsers complain about high CPU usage, see [here](https://forum.turris.cz/t/haas-proxy-90-cpu-usage-kresd-errors/6472).
Proxy is build upon framework Twisted which uses SSH paramiko library. I found wrong feature(not a bug) in the library ...Users complain about high CPU usage, see [here](https://forum.turris.cz/t/haas-proxy-90-cpu-usage-kresd-errors/6472).
Proxy is build upon framework Twisted which uses SSH paramiko library. I found wrong feature(not a bug) in the library see [here](https://github.com/paramiko/paramiko/issues/183) and [here](https://github.com/paramiko/paramiko/issues/191).
Michal Hrušecký find a hotfix with CGROUPS [here](https://gitlab.labs.nic.cz/turris/turris-os-packages/commit/e47e6e5777ea3d1892d6e0dc8d115d5c9b1c2423) and [there](https://gitlab.labs.nic.cz/turris/turris-os-packages/commit/d9be148119d0693725e6107eb8f4af8b36ccab49).
Try to find a solution instead of hotfix. It lies maybe in migration proxy to python3.
When it fixes close this issue...Michal MladekMichal Mladekhttps://gitlab.nic.cz/haas/proxy/-/issues/3PermissionError on closing connection2018-01-16T14:16:48+01:00Michal ČihařPermissionError on closing connectionI have no clue how to reproduce this, but happens once in a while on my server:
```
2018-01-16T12:20:35+0100 [SSHChannel session (0) on SSHService b'ssh-connection' on SSHServerTransport,4,195.22.127.83] Unhandled Error
Tracebac...I have no clue how to reproduce this, but happens once in a while on my server:
```
2018-01-16T12:20:35+0100 [SSHChannel session (0) on SSHService b'ssh-connection' on SSHServerTransport,4,195.22.127.83] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/twisted/internet/tcp.py", line 292, in connectionLost
protocol.connectionLost(reason)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/transport.py", line 513, in connectionLost
self.service.serviceStopped()
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 66, in serviceStopped
self.channelClosed(channel)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 608, in channelClosed
log.callWithLogger(channel, channel.closed)
--- <exception caught here> ---
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 103, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 86, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/session.py", line 129, in closed
self.session.closed()
File "/usr/lib/python3/dist-packages/twisted/conch/unix.py", line 311, in closed
os.chown(self.ptyTuple[2], 0, ttyGID)
builtins.PermissionError: [Errno 1] Operation not permitted: '/dev/pts/8'
```