Whenever I try to SSH to my server using the public IP and port 443, SSLH throws this error
warning: cannot open /etc/hosts.allow: Permission denied
warning: cannot open /etc/hosts.deny: Permission denied
and I'm unable to connect. Web services I have behind SSLH also on that port route fine

I did an strace of this

accept(3, NULL, NULL)                   = 13
fcntl(13, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(13, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
epoll_ctl(5, EPOLL_CTL_ADD, 13, {events=EPOLLIN, data={u32=13, u64=4294967309}}) = 0
epoll_wait(5, [{events=EPOLLIN, data={u32=13, u64=4294967309}}], 64, 59743) = 1
read(13, "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ub"..., 8192) = 41
getpeername(13, {sa_family=AF_INET, sin_port=htons(51878), sin_addr=inet_addr("[publicip]")}, [128 => 16]) = 0
newfstatat(AT_FDCWD, "/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=937, ...}, 0) = 0
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=510, ...}, 0) = 0
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 14
fstat(14, {st_mode=S_IFREG|0644, st_size=227, ...}) = 0
lseek(14, 0, SEEK_SET)                  = 0
read(14, "127.0.0.1 localhost\n127.0.1.1 bi"..., 4096) = 227
read(14, "", 4096)                      = 0
close(14)                               = 0
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 14
setsockopt(14, SOL_IP, IP_RECVERR, [1], 4) = 0
connect(14, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("1.1.1.1")}, 16) = 0
poll([{fd=14, events=POLLOUT}], 1, 0)   = 1 ([{fd=14, revents=POLLOUT}])
sendto(14, "\27\210\1\0\0\1\0\0\0\0\0\0\003158\00218\003203\284\7in-ad"..., 44, MSG_NOSIGNAL, NULL, 0) = 44
poll([{fd=14, events=POLLIN}], 1, 5000) = 1 ([{fd=14, revents=POLLIN}])
ioctl(14, FIONREAD, [95])               = 0
recvfrom(14, "\27\210\201\200\0\1\0\1\0\0\0\0\003158\00218\003203\284\7in-ad"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("1.1.1.1")}, [28 => 16]) = 95
close(14)                               = 0
getpid()                                = 51005
openat(AT_FDCWD, "/etc/hosts.allow", O_RDONLY) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 14
connect(14, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
sendto(14, "<35>Jun 11 21:41:47 sslh[51005]:"..., 89, MSG_NOSIGNAL, NULL, 0) = 89
openat(AT_FDCWD, "/etc/hosts.deny", O_RDONLY) = -1 EACCES (Permission denied)
sendto(14, "<35>Jun 11 21:41:47 sslh[51005]:"..., 88, MSG_NOSIGNAL, NULL, 0) = 88
write(2, "connection from ip-84-203-18-158"..., 83) = 83
sendto(14, "<38>Jun 11 21:41:47 sslh[51005]:"..., 116, MSG_NOSIGNAL, NULL, 0) = 116
close(13)                               = 0
close(13)                               = -1 EBADF (Bad file descriptor)
epoll_wait(5,

some more informations?
How do you start sslh, start as root and drop privileges or start as restricted user?
How do the access rights to those file look like? In all systems I know, they look like 644 and are owned by root:root
Do you have additional services running like apparmor, selinux?

It runs as its own user sslh from the sslh.cfg. Both files have the standard 644 permission as well as being owned by root:root.
I have apparmor running, could that be what's it?

Of course! you need to add an apparmor profile for sslh, where you explicitly allow read access to those files.
Depends on your distro, where those things are located, but the snippet will look like:

#include <tunables/global>
/path/to/application {
   [...]
  /etc/hosts.allow r
  /etc/hosts.deny r
  /etc/localtime r
}

It can happen, that you need to add more rights, when sslh will continue over those failing steps. But that depends, how strict your overall setting is.
When you are starting this from the sslh user directly, the sslh binary needs to have cap_net_bind_service permission also, to bind to ports lower 1024!
If you wish to use transparent mode, you need also cap_net_raw+ep.

Additional warning: If you post error logs like your strace, be sure, that no private data, like here your client ip address is in there.

Its a risk, to post logs/error-messages from applications, where you might have misconfigurations. I don't think, thats the case here, but you must have always in mind, that you may post a serious security problem of your configuration, unfriendly people might abuse.

I saw this, when I had another look to your strace file. Your application is listening already on port 443, the right capabilities are there. The start-sequence looks different than mine. I assume, that you run it from systemd socket or inetd.

So I made a profile for sslh in Apparmor but it's silently throwing that error now and I'm only seeing it in the strace. SSH to my public ip + port 443 still doesn't work. I've given it all the relevant permissions in Apparmor. Also seeing a weird error about it not being able to open /dev/console?
My sslh install was perfectly find until I upgraded my Ubuntu distro to LTS 24 so that's probably the main reason

Reverted my sslh binary to 2.0.1 (I was using 2.1.2) and now it's working correctly. I think this may be a landlock issue

please reopen if the commit doesn't work, or confirm it it's ok (I'll create a patch release).