Package: stunnel4 Version: 3:5.38-1 Severity: important Hi,
I use stunnel4 to tunnel SSH over SSL, and I experience daily failures triggered by shadowserver.org port scanning [1][2]. Here is the pattern from journalctl: janv. 04 14:53:55 maison stunnel[13384]: LOG5[6]: Service [ssh] accepted connection from 216.218.206.66:17748 janv. 04 14:53:56 maison stunnel[13384]: LOG3[6]: SSL_accept: 1417D18C: error:1417D18C:SSL routines:tls_process_client_hello:version too low janv. 04 14:53:56 maison stunnel[13384]: LOG5[6]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 04 14:54:51 maison stunnel[13384]: LOG5[7]: Service [ssh] accepted connection from 216.218.206.66:6922 janv. 04 14:54:51 maison stunnel[13384]: LOG3[7]: SSL_accept: 1417A0C1: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher janv. 04 14:54:51 maison stunnel[13384]: LOG5[7]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 04 14:54:51 maison kernel: traps: stunnel4[12705] trap stack segment ip:7f310cea5c4a sp:7f310d65bb20 error:0 in libcrypto.so.1.1[7f310cdff000+26 ... janv. 05 13:03:35 maison stunnel[342]: LOG5[8]: Service [ssh] accepted connection from 184.105.139.68:52520 janv. 05 13:03:36 maison stunnel[342]: LOG3[8]: SSL_accept: 1417D18C: error:1417D18C:SSL routines:tls_process_client_hello:version too low janv. 05 13:03:36 maison stunnel[342]: LOG5[8]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 05 13:04:30 maison stunnel[342]: LOG5[9]: Service [ssh] accepted connection from 184.105.139.68:38530 janv. 05 13:04:30 maison stunnel[342]: LOG3[9]: SSL_accept: 1417A0C1: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher janv. 05 13:04:30 maison stunnel[342]: LOG5[9]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket janv. 05 13:04:30 maison kernel: traps: stunnel4[28471] trap stack segment ip:7f76c2c01c4a sp:7f76c33b7b20 error:0 in libcrypto.so.1.1[7f76c2b5b000+26 216.218.206.66 is scan-05.shadowserver.org 184.105.139.68 is scan-02.shadowserver.org After each of these failures stunnel isn't running anymore and systemd doesn't know it has to restart it, because 'systemctl status' says: 'active (exited)'. But this one is related to #826883. My stunnel config file is: $ cat /etc/stunnel/stunnel.conf pid = /var/run/stunnel.pid cert = /etc/stunnel/stunnel.pem [ssh] accept = 443 connect = 127.0.0.1:22 Thanks in advance for any hint. [1] https://poodlescan.shadowserver.org/ [2] https://freakscan.shadowserver.org/ _g. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages stunnel4 depends on: ii adduser 3.115 ii libc6 2.24-8 ii libssl1.1 1.1.0c-2 ii libsystemd0 232-8 ii libwrap0 7.6.q-25 ii lsb-base 9.20161125 ii netbase 5.3 ii openssl 1.1.0c-2 pn perl:any <none> stunnel4 recommends no packages. Versions of packages stunnel4 suggests: pn logcheck-database <none> -- no debconf information
