proxy issueshttps://gitlab.nic.cz/haas/proxy/-/issues2023-09-22T12:02:44+02:00https://gitlab.nic.cz/haas/proxy/-/issues/17finish publishing version 2.02023-09-22T12:02:44+02:00Štěpán Henekfinish publishing version 2.0* [ ] pypi.org
* [ ] offical cznic repos (fedora, suse, ubuntu)
* [ ] update the web pages (release + include the logging changes)
Might be a good idea to ask guys from knot team what is their workflow and whether we could unite the eff...* [ ] pypi.org
* [ ] offical cznic repos (fedora, suse, ubuntu)
* [ ] update the web pages (release + include the logging changes)
Might be a good idea to ask guys from knot team what is their workflow and whether we could unite the effort.
see https://www.knot-resolver.cz/download/https://gitlab.nic.cz/haas/proxy/-/issues/20Haas-proxy not closing connections2022-01-20T23:38:59+01:00caffeineHaas-proxy not closing connections1. Haas-proxy doesn’t close connections and the list grows by time until service restarted/stopped. Pls see the screenshot below from the cmd "netstat -atn|grep 2525".
Reported the issue at Turris forums:
https://forum.turris.cz/t/haas...1. Haas-proxy doesn’t close connections and the list grows by time until service restarted/stopped. Pls see the screenshot below from the cmd "netstat -atn|grep 2525".
Reported the issue at Turris forums:
https://forum.turris.cz/t/haas-proxy-not-closing-connections/16446
2. And another point is that still getting attacks from same IPs even which are already in the ipset, the firewall rule is configured to drop them but seems still allowing them to connect to the ssh honeypot. Is this expected behavior?
```
-A zone_wan_forward -m set --match-set turris-sn-dynfw-block src -m conntrack --ctstate NEW -m comment --comment "!sentinel: dynamic firewall block" -j zone_wan_src_DROP
-A zone_wan_input -m set --match-set turris-sn-dynfw-block src -m mark ! --mark 0x10/0x10 -m conntrack --ctstate NEW -m comment --comment "!sentinel: dynamic firewall block" -j zone_wan_src_DROP
```
![Screenshot_2022-01-05_00-58-38-2](/uploads/23ee193693323151863a1ce1e0e6edb0/Screenshot_2022-01-05_00-58-38-2.png)Karel KociKarel Kocihttps://gitlab.nic.cz/haas/proxy/-/issues/19Cant connect to proxy2022-01-20T22:53:22+01:00Martin PrudekCant connect to proxyThe proxy replies for connection request with `ssh_exchange_identification: Connection closed by remote host` while the following line appears in the log:
```
haas-proxy-start[5351]: 2020-08-06T15:40:57 CRITICAL twisted 'channel open fai...The proxy replies for connection request with `ssh_exchange_identification: Connection closed by remote host` while the following line appears in the log:
```
haas-proxy-start[5351]: 2020-08-06T15:40:57 CRITICAL twisted 'channel open failed, direct-tcpip is not allowed'
```
Unfortunately I was not yet able to reproduce the bug on different device.https://gitlab.nic.cz/haas/proxy/-/issues/13HaaS doesn't log with the NCM/QMI (WAN protocols).2021-07-26T18:15:32+02:00Orest WorhaczHaaS doesn't log with the NCM/QMI (WAN protocols).Generally problem is related to this: https://gitlab.labs.nic.cz/turris/foris/issues/115 and this https://github.com/openwrt/luci/pull/1683 .
Here I am going to describe more of a proposition of workaround for `/etc/init.d/haas-proxy` t...Generally problem is related to this: https://gitlab.labs.nic.cz/turris/foris/issues/115 and this https://github.com/openwrt/luci/pull/1683 .
Here I am going to describe more of a proposition of workaround for `/etc/init.d/haas-proxy` to work with the NCM protocol out of the box. And make HaaS log on the website. *It should work also for the QMI.*
In general HaaS is trying to get the external IP from the interface wan by setting the variable `WAN_IP`. But with the protocols mentioned there are two virtual interfaces created on connection `wan_4` and `wan_6` (for the IPv4 and IPv6 respectively). And haas-proxy should check first if the protocol used is not NCM or QMI and if so then look for the IP not on the `wan` interface (since there is no IP there) but on the `wan_4` or `wan_6` virtual interface.
I knows some bash and if I will have time I am going to try to make a workaround for that. But skilled programmer should do that in a minute or two.
PROPOSITION OF SOLUTION:
* [1] The bug appears in 15 line of /etc/init.d/haas-proxy => WAN_IP returns nothing.
* [2] Should be one more function there checking the protocol.
* [3] And if it's protocol affected then changing the begining of the WAN_IP call to the `ubus call network.interface.wan_4` or `ubus call network.interface.wan_6` respectively. (I don't know how haas-proxy is handling IPv6)
MY WORKAROUND:
I just hardcoded `network.interface.wan_4` in `WAN_IP` but it might break if there will be any future update to haas-proxy.https://gitlab.nic.cz/haas/proxy/-/issues/16Unhandled Error - builtins.KeyError: 02020-07-08T10:09:39+02:00Josef SchlehoferUnhandled Error - builtins.KeyError: 0Using version 1.9 of haas-proxy. I noticed in logs:
```
Jun 22 19:41:50 turris haas-proxy-start[4407]: 2020-06-22T21:41:50+0200 [SSHService b'ssh-connection' on SSHServerTransport,2448,212.36.91.156] Unhandled Error
Jun 22 19:41:50 turr...Using version 1.9 of haas-proxy. I noticed in logs:
```
Jun 22 19:41:50 turris haas-proxy-start[4407]: 2020-06-22T21:41:50+0200 [SSHService b'ssh-connection' on SSHServerTransport,2448,212.36.91.156] Unhandled Error
Jun 22 19:41:50 turris haas-proxy-start[4407]: Traceback (most recent call last):
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/internet/tcp.py", line 243, in doRead
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 703, in dataReceived
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 728, in dispatchMessage
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: --- <exception caught here> ---
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/log.py", line 103, in callWithLogger
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/log.py", line 86, in callWithContext
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/context.py", line 122, in callWithContext
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/context.py", line 85, in callWithContext
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/service.py", line 45, in packetReceived
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/connection.py", line 295, in ssh_CHANNEL_EOF
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: builtins.KeyError: 0
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: 2020-06-22T21:41:50+0200 [SSHService b'ssh-connection' on SSHServerTransport,2448,212.36.91.156] Unhandled Error
Jun 22 19:41:50 turris haas-proxy-start[4407]: Traceback (most recent call last):
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/internet/tcp.py", line 243, in doRead
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 703, in dataReceived
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/transport.py", line 728, in dispatchMessage
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: --- <exception caught here> ---
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/log.py", line 103, in callWithLogger
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/log.py", line 86, in callWithContext
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/context.py", line 122, in callWithContext
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/python/context.py", line 85, in callWithContext
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/service.py", line 45, in packetReceived
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: File "/usr/lib/python3.7/site-packages/twisted/conch/ssh/connection.py", line 308, in ssh_CHANNEL_CLOSE
Jun 22 19:41:50 turris haas-proxy-start[4407]:
Jun 22 19:41:50 turris haas-proxy-start[4407]: builtins.KeyError: 0
```Štěpán HenekŠtěpán Henekhttps://gitlab.nic.cz/haas/proxy/-/issues/15SSH Crypto issues on CentOS 82020-04-19T15:51:36+02:00fueroSSH Crypto issues on CentOS 8I've tried this on CentOS 8.
```bash
# cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)
```
I've used this RPM (`python-haas_proxy.spec`) to compile and install:
```spec
%global srcname haas_proxy
Name: ...I've tried this on CentOS 8.
```bash
# cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)
```
I've used this RPM (`python-haas_proxy.spec`) to compile and install:
```spec
%global srcname haas_proxy
Name: python-%{srcname}
Version: 1.9
Release: 1%{?dist}
Summary: Redirects SSH traffic to Honeypot as a Service (HaaS) by cz.nic
License: GPLv3
URL: https://gitlab.labs.nic.cz/haas/proxy
Source0: %{url}/-/archive/master/proxy-master.tar.gz
Source1: %{srcname}.service
Source2: %{srcname}.sysconfig
BuildArch: noarch
BuildRequires: systemd
%description
%summary
%package -n python3-%{srcname}
Summary: %{summary}
BuildRequires: python3-devel
BuildRequires: %{py3_dist bcrypt}
BuildRequires: %{py3_dist cffi}
BuildRequires: %{py3_dist pyOpenSSL}
BuildRequires: %{py3_dist pytest}
BuildRequires: %{py3_dist twisted}
BuildRequires: %{py3_dist cachetools}
Requires: %{py3_dist bcrypt}
Requires: %{py3_dist cffi}
Requires: %{py3_dist pyOpenSSL}
Requires: %{py3_dist pytest}
Requires: %{py3_dist twisted}
Requires: %{py3_dist cachetools}
%{?python_provide:%python_provide python3-%{srcname}}
%description -n python3-%{srcname}
%summary - python3 version
%prep
%autosetup -n proxy-master
%build
%py3_build
%install
%py3_install
install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/python3-%{srcname}.service
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/python3-%{srcname}
%check
python3 -m pytest test_haas_proxy.py
%files -n python3-%{srcname}
%license LICENSE
%doc README.md CHANGELOG.txt
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}/
%{_unitdir}/python3-%{srcname}.service
%{_sysconfdir}/sysconfig/python3-%{srcname}
%changelog
* Sun Apr 19 2020 fuero - 1.9-1
- initial packaging
```
haas_proxy.systemd
```
[Unit]
Description=HaaS proxy daemon for SSH, python3
After=syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/python3-haas_proxy
ExecStart=/usr/bin/python3 -m haas_proxy --nodaemon haas_proxy --device-token $DEVICE_TOKEN
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitIntervalSec=60
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
```
haas_proxy.sysconfig
```
DEVICE_TOKEN=<your_device_token>
```
When connecting to it, I get this:
```
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [-] Unable to write to plugin cache /usr/lib/python3.6/site-packages/haas_proxy/twisted/plugins/dropin.cache: error number 30
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 19.10.0 (/usr/bin/python3 3.6.8) starting up.
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [-] ProxySSHFactory starting on 2222
Apr 19 15:33:05 router python3[23278]: 2020-04-19T15:33:05+0200 [haas_proxy.proxy.ProxySSHFactory#info] Starting factory <haas_proxy.proxy.ProxySSHFactory object at 0x7f85760ce438>
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [haas_proxy.proxy.ProxySSHFactory] disabling non-fixed-group key exchange algorithms because we cannot find moduli file
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] kex alg, key alg: b'ecdh-sha2-nistp256' b'ssh-rsa'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] outgoing: b'aes256-ctr' b'hmac-sha2-256' b'none'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] incoming: b'aes256-ctr' b'hmac-sha2-256' b'none'
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] Unhandled Error
Apr 19 15:33:42 router python3[23278]: Traceback (most recent call last):
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/log.py", line 103, in callWithLogger
Apr 19 15:33:42 router python3[23278]: return callWithContext({"system": lp}, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/log.py", line 86, in callWithContext
Apr 19 15:33:42 router python3[23278]: return context.call({ILogContext: newCtx}, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/context.py", line 122, in callWithContext
Apr 19 15:33:42 router python3[23278]: return self.currentContext().callWithContext(ctx, func, *args, **kw)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/python/context.py", line 85, in callWithContext
Apr 19 15:33:42 router python3[23278]: return func(*args,**kw)
Apr 19 15:33:42 router python3[23278]: --- <exception caught here> ---
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/posixbase.py", line 614, in _doReadOrWrite
Apr 19 15:33:42 router python3[23278]: why = selectable.doRead()
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/tcp.py", line 243, in doRead
Apr 19 15:33:42 router python3[23278]: return self._dataReceived(data)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/internet/tcp.py", line 249, in _dataReceived
Apr 19 15:33:42 router python3[23278]: rval = self.protocol.dataReceived(data)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 703, in dataReceived
Apr 19 15:33:42 router python3[23278]: self.dispatchMessage(messageNum, packet[1:])
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 721, in dispatchMessage
Apr 19 15:33:42 router python3[23278]: f(payload)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 1405, in ssh_KEX_DH_GEX_REQUEST_OLD
Apr 19 15:33:42 router python3[23278]: return self._ssh_KEX_ECDH_INIT(packet)
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/site-packages/twisted/conch/ssh/transport.py", line 1300, in _ssh_KEX_ECDH_INIT
Apr 19 15:33:42 router python3[23278]: serialization.Encoding.X962,
Apr 19 15:33:42 router python3[23278]: File "/usr/lib64/python3.6/enum.py", line 326, in __getattr__
Apr 19 15:33:42 router python3[23278]: raise AttributeError(name) from None
Apr 19 15:33:42 router python3[23278]: builtins.AttributeError: X962
Apr 19 15:33:42 router python3[23278]:
Apr 19 15:33:42 router python3[23278]: 2020-04-19T15:33:42+0200 [SSHServerTransport,0,127.0.0.1] connection lost
```
Seems to me it has problems with `sshd`'s crypto settings on CentOS 8.
Here's how `sshd` is invoked (due to crypto-policies, DEFAULT profile):
```
/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
```https://gitlab.nic.cz/haas/proxy/-/issues/12provide ipv6 socket2020-01-20T21:11:29+01:00Ghost Userprovide ipv6 socketcurrenlty HP listens on a ipv4 socket but not ipv6 and thus agents probing over ipv6 are not caughtcurrenlty HP listens on a ipv4 socket but not ipv6 and thus agents probing over ipv6 are not caughthttps://gitlab.nic.cz/haas/proxy/-/issues/11HP disclosure - "Connection to haas-app.nic.cz closed."2019-03-11T17:04:26+01:00Martin KuncHP disclosure - "Connection to haas-app.nic.cz closed."When closing connection to proxy (attackers view) connection spits out "Connection to haas-app.nic.cz closed."
![Screenshot_from_2019-01-02_10-28-44](/uploads/e2b3e4ac95c714680057c83d4f96c754/Screenshot_from_2019-01-02_10-28-44.png)When closing connection to proxy (attackers view) connection spits out "Connection to haas-app.nic.cz closed."
![Screenshot_from_2019-01-02_10-28-44](/uploads/e2b3e4ac95c714680057c83d4f96c754/Screenshot_from_2019-01-02_10-28-44.png)https://gitlab.nic.cz/haas/proxy/-/issues/10High CPU usage while proxy running2019-01-31T15:12:24+01:00Michal MladekHigh CPU usage while proxy runningUsers complain about high CPU usage, see [here](https://forum.turris.cz/t/haas-proxy-90-cpu-usage-kresd-errors/6472).
Proxy is build upon framework Twisted which uses SSH paramiko library. I found wrong feature(not a bug) in the library ...Users complain about high CPU usage, see [here](https://forum.turris.cz/t/haas-proxy-90-cpu-usage-kresd-errors/6472).
Proxy is build upon framework Twisted which uses SSH paramiko library. I found wrong feature(not a bug) in the library see [here](https://github.com/paramiko/paramiko/issues/183) and [here](https://github.com/paramiko/paramiko/issues/191).
Michal Hrušecký find a hotfix with CGROUPS [here](https://gitlab.labs.nic.cz/turris/turris-os-packages/commit/e47e6e5777ea3d1892d6e0dc8d115d5c9b1c2423) and [there](https://gitlab.labs.nic.cz/turris/turris-os-packages/commit/d9be148119d0693725e6107eb8f4af8b36ccab49).
Try to find a solution instead of hotfix. It lies maybe in migration proxy to python3.
When it fixes close this issue...Michal MladekMichal Mladekhttps://gitlab.nic.cz/haas/proxy/-/issues/8Open channel - too many values to unpack2018-07-18T10:15:30+02:00Michal HorejsekOpen channel - too many values to unpack```
CRITICAL:twisted:Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/twisted/internet/tcp.py", line
208, in do Read
return self._dataReceived(data)
File "/usr/lib/python3/dist-packages/twis...```
CRITICAL:twisted:Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/twisted/internet/tcp.py", line
208, in do Read
return self._dataReceived(data)
File "/usr/lib/python3/dist-packages/twisted/internet/tcp.py", line
214, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/transport.py",
line 727, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/transport.py",
line 752, in dispatchMessage messageNum, payload)
--- <exception caught here> ---
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line
103, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 86,
in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line
118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args,
**kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line
81, in callWithContext return func(*args,**kw)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/service.py",
line 45, in packetReceived
return f(packet)
File "/usr/lib/python3/dist-packages/haas_proxy/proxy.py", line 55,
in ssh_CHANNEL_OPEN
senderChannel, _ = struct.unpack('>3L', rest[:12])
builtins.ValueError: too many values to unpack (expected 2)
```https://gitlab.nic.cz/haas/proxy/-/issues/9Exception filling logs2018-07-18T10:15:20+02:00Michal ČihařException filling logsToday I've noticed that haas log has several gigabytes (I rotate it daily) and it's filled with following errors:
```
2018-04-25T05:35:02+0200 [SSHService b'ssh-connection' on SSHServerTransport,1412,201.217.144.106] Unhandled Error
...Today I've noticed that haas log has several gigabytes (I rotate it daily) and it's filled with following errors:
```
2018-04-25T05:35:02+0200 [SSHService b'ssh-connection' on SSHServerTransport,1412,201.217.144.106] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/twisted/internet/tcp.py", line 208, in doRead
return self._dataReceived(data)
File "/usr/lib/python3/dist-packages/twisted/internet/tcp.py", line 214, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/transport.py", line 727, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/transport.py", line 752, in dispatchMessage
messageNum, payload)
--- <exception caught here> ---
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 103, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 86, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/service.py", line 45, in packetReceived
return f(packet)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 231, in ssh_CHANNEL_DATA
channel = self.channels[localChannel]
builtins.KeyError: 0
```https://gitlab.nic.cz/haas/proxy/-/issues/7proxy depends on exact sshpass location2018-03-05T13:20:39+01:00durdin85proxy depends on exact sshpass locationWhen connecting to the hass-proxy the proxy depends on sshpass located in /usr/bin, however on systems with sshpass located in /usr/local/bin (or other place outside default path) it fails with:
```
Upon execvpe /usr/bin/sshpass ['sshpa...When connecting to the hass-proxy the proxy depends on sshpass located in /usr/bin, however on systems with sshpass located in /usr/local/bin (or other place outside default path) it fails with:
```
Upon execvpe /usr/bin/sshpass ['sshpass', '-p', '{"device_token": "w", "remote_port": x, "remote": "y", "pass": "test"}', 'ssh', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'StrictHostKeyChecking=no', '-o', 'LogLevel=error', '-p', '10014', 'root@haas-app.nic.cz'] in environment id Z
:Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/Twisted-17.9.0-py2.7-freebsd-11.1-RELEASE-p1-amd64.egg/twisted/internet/process.py", line 445, in _fork
environment)
File "/usr/local/lib/python2.7/site-packages/Twisted-17.9.0-py2.7-freebsd-11.1-RELEASE-p1-amd64.egg/twisted/internet/process.py", line 523, in _execChild
os.execvpe(executable, args, environment)
File "/usr/local/lib/python2.7/os.py", line 355, in execvpe
_execvpe(file, args, env)
File "/usr/local/lib/python2.7/os.py", line 370, in _execvpe
func(file, *argrest)
OSError: [Errno 2] No such file or directory
```Bogdan BodnarBogdan Bodnarhttps://gitlab.nic.cz/haas/proxy/-/issues/5Docker image2018-02-27T14:12:36+01:00Jan PobořilDocker imageCould you please create official Docker image?
* [x] Dockerfile
* [x] Configure auto build on hub.docker.comCould you please create official Docker image?
* [x] Dockerfile
* [x] Configure auto build on hub.docker.comBogdan BodnarBogdan Bodnarhttps://gitlab.nic.cz/haas/proxy/-/issues/6Licensing discrepancies2018-02-21T10:07:29+01:00Michal AmbrozLicensing discrepanciesHello,
there seems to be some ambiguity in the licensing of the haas:
1) PKG-INFO claims the license is GPLv2, but in "Classifier" there is GPLv3
2) in setup.py there is "license='GPLv2'", but then in Classifiers there is again GPLv3
...Hello,
there seems to be some ambiguity in the licensing of the haas:
1) PKG-INFO claims the license is GPLv2, but in "Classifier" there is GPLv3
2) in setup.py there is "license='GPLv2'", but then in Classifiers there is again GPLv3
3) in the git repository there is a GPLv3 LICENSE in https://gitlab.labs.nic.cz/haas/proxy/tree/master/LICENSE , but the file is not distributed in the release tarballs (https://gitlab.labs.nic.cz/haas/proxy/blob/master/release/haas-proxy-1.6.tar.gz)
4) source files do not contain the recommended copyright headers (see chapter 17 of the GPLv3 license)
Please could you fix these issues?
Thank you
Michal Ambrozhttps://gitlab.nic.cz/haas/proxy/-/issues/4hass_proxy gets stucked2018-02-21T02:10:19+01:00Michal Ambrozhass_proxy gets stuckedHello,
I have tried to use haas_proxy but it gets stucked every time the client gets connected. New sessions are accepted, but gets stucked immediately upon login with the same error.
Testing with:
```
$ ssh -p 2222 test@localhost ...Hello,
I have tried to use haas_proxy but it gets stucked every time the client gets connected. New sessions are accepted, but gets stucked immediately upon login with the same error.
Testing with:
```
$ ssh -p 2222 test@localhost
test@localhost's password:
```
This is what I get in the log:
```
CRITICAL:twisted:Unhandled Error
Traceback (most recent call last):
File "/usr/lib64/python2.7/site-packages/twisted/internet/tcp.py", line 208, in doRead
return self._dataReceived(data)
File "/usr/lib64/python2.7/site-packages/twisted/internet/tcp.py", line 214, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/usr/lib64/python2.7/site-packages/twisted/conch/ssh/transport.py", line 727, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/usr/lib64/python2.7/site-packages/twisted/conch/ssh/transport.py", line 752, in dispatchMessage
messageNum, payload)
--- <exception caught here> ---
File "/usr/lib64/python2.7/site-packages/twisted/python/log.py", line 101, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib64/python2.7/site-packages/twisted/python/log.py", line 84, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib64/python2.7/site-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib64/python2.7/site-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/lib64/python2.7/site-packages/twisted/conch/ssh/service.py", line 45, in packetReceived
return f(packet)
File "/usr/lib/python2.7/site-packages/haas_proxy/proxy.py", line 53, in ssh_CHANNEL_OPEN
return super().ssh_CHANNEL_OPEN(packet)
exceptions.TypeError: super() takes at least 1 argument (0 given)
```
Tried on Fedora 28 with :
python-haas-proxy-1.5-1.noarch.rpm
python2-twisted-16.4.1-5.fc27.x86_64
I have to move the python stuff from /usr/local/lib to /usr/lib in order to run with
```
python -m haas_proxy -l /dev/null --pidfile /var/run/haas.pid haas_proxy -l /var/log/haas.log --log-level warning --device-token XXX
```
Michal AmbrozBogdan BodnarBogdan Bodnarhttps://gitlab.nic.cz/haas/proxy/-/issues/2Exception on direct-tcpip channel request2018-02-16T15:03:25+01:00Michal ČihařException on direct-tcpip channel requestThis is what I see occasionally in the logs:
```
2018-01-11T13:50:29+0100 [SSHService b'ssh-connection' on SSHServerTransport,25,193.201.224.206] got channel b'direct-tcpip' request
2018-01-11T13:50:29+0100 [SSHService b'ssh-connection'...This is what I see occasionally in the logs:
```
2018-01-11T13:50:29+0100 [SSHService b'ssh-connection' on SSHServerTransport,25,193.201.224.206] got channel b'direct-tcpip' request
2018-01-11T13:50:29+0100 [SSHService b'ssh-connection' on SSHServerTransport,25,193.201.224.206] channel open failed
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext
return func(*args,**kw)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/service.py", line 45, in packetReceived
return f(packet)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 151, in ssh_CHANNEL_OPEN
log.err(e, 'channel open failed')
--- <exception caught here> ---
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 138, in ssh_CHANNEL_OPEN
packet)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 546, in getChannel
data)
File "/usr/lib/python3/dist-packages/twisted/conch/avatar.py", line 24, in lookupChannel
raise ConchError(OPEN_UNKNOWN_CHANNEL_TYPE, "unknown channel")
twisted.conch.error.ConchError: (3, 'unknown channel')
```
How to reproduce:
```
# ssh to the honeypot proxy with port forwarding
ssh -L 12345:localhost:22 honeypot
# once the ssh is connected try to open the forwarded port (from the host running ssh)
telnet localhost 12345
```
These requests probably should fail (unless you want to forward them to the honeypot servers), only such errors probably should be handled gracefully than throwing exception to the log.Bogdan BodnarBogdan Bodnarhttps://gitlab.nic.cz/haas/proxy/-/issues/1Exception when ssh executed with command2018-01-16T15:26:16+01:00Michal ČihařException when ssh executed with commandWhen ssh is executed with command (eg. `ssh honeypot uname -a`), the honeypot fails with following exception:
```
[SSHChannel session (0) on SSHService b'ssh-connection' on SSHServerTransport,0,185.47.222.168] Unhandled Error
Tr...When ssh is executed with command (eg. `ssh honeypot uname -a`), the honeypot fails with following exception:
```
[SSHChannel session (0) on SSHService b'ssh-connection' on SSHServerTransport,0,185.47.222.168] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 86, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext
return func(*args,**kw)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/channel.py", line 162, in requestReceived
return f(data)
--- <exception caught here> ---
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/session.py", line 73, in request_exec
self.session.execCommand(pp, f)
File "/usr/lib/python3/dist-packages/twisted/conch/unix.py", line 242, in execCommand
uid, gid = self.avatar.getUserGroupId()
builtins.AttributeError: 'ProxySSHUser' object has no attribute 'getUserGroupId'
```
There is typo in method name (it's called [getUserGroupID](https://gitlab.labs.nic.cz/haas/proxy/blob/c0363816618651bd6bc061321d2d7cf38e49e6f9/haas_proxy/proxy.py#L104) in the code, however I think that implementing this is not desired - this code path is used to execute commands on the system and the honeypot is not supposed to do this.
Instead the `ProxySSHSession` should have implemented `execCommand` method to override behavior in this case.
I think something like this should do it:
```
def execCommand(self, proto, cmd):
"""
Custom implementation of exec - proxy to real SSH to honeypot.
"""
# pylint: disable=no-member
self.pty = reactor.spawnProcess(
proto,
executable='/usr/bin/sshpass',
args=self.honeypot_ssh_arguments + [cmd],
env=self.environ,
path='/',
uid=None,
gid=None,
usePTY=self.ptyTuple,
)
```
It seems to work (in sense that it contacts the honeypot server), but I did not do any more testing.https://gitlab.nic.cz/haas/proxy/-/issues/3PermissionError on closing connection2018-01-16T14:16:48+01:00Michal ČihařPermissionError on closing connectionI have no clue how to reproduce this, but happens once in a while on my server:
```
2018-01-16T12:20:35+0100 [SSHChannel session (0) on SSHService b'ssh-connection' on SSHServerTransport,4,195.22.127.83] Unhandled Error
Tracebac...I have no clue how to reproduce this, but happens once in a while on my server:
```
2018-01-16T12:20:35+0100 [SSHChannel session (0) on SSHService b'ssh-connection' on SSHServerTransport,4,195.22.127.83] Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/twisted/internet/tcp.py", line 292, in connectionLost
protocol.connectionLost(reason)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/transport.py", line 513, in connectionLost
self.service.serviceStopped()
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 66, in serviceStopped
self.channelClosed(channel)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/connection.py", line 608, in channelClosed
log.callWithLogger(channel, channel.closed)
--- <exception caught here> ---
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 103, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/log.py", line 86, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/lib/python3/dist-packages/twisted/conch/ssh/session.py", line 129, in closed
self.session.closed()
File "/usr/lib/python3/dist-packages/twisted/conch/unix.py", line 311, in closed
os.chown(self.ptyTuple[2], 0, ttyGID)
builtins.PermissionError: [Errno 1] Operation not permitted: '/dev/pts/8'
```