URGENT: cannot access server now... can ping ip, not able to ssh/ispconfig 8080

Discussion in 'Server Operation' started by brisk, Dec 24, 2018.

  1. brisk

    brisk Member

    Here is the what happened...
    I logged into the server, found out the ufw is inactive
    so I checked ispconfig, and in server config the firewall is set to ufw
    and on the firewall page, it shows active... so I turned it off and on again
    then I went to ssh, it still shows inactive (the notification was completed on ispconfig when i checked status)

    so I thought must be something else...
    then afew seconds later I was disconnected from ssh
    than I am not able to log in anymore from ssh, and ispconfig:8080 timedout...

    so what can I do now?

    seems it is related firewall, since I run dns server on it, dns is not reachable.

    please help!
     
  2. brisk

    brisk Member

    and these are open ports showed up in ispconfig (I still have the screen there):

    20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,8081,10000
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    If you can't connect to the server by ssh or ispconfig, then the only way to stop ufw is to connect to the server console directly or boot it in a rescue mode, when your server has no console login.
     
    brisk likes this.
  4. brisk

    brisk Member

    so I have to ask my isp?
     
  5. brisk

    brisk Member

    how to boot in rescue mode? ask ISP? I wonder if I do server reboot would help?
    will it cause more damage if I just do a reboot from my ISP's control panel?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    It depends on your ISP if the provide a console login or if they have a rescue mode and also how that rescue mode works is different for each provider.

    It's not very likely that it helps, but you can try it. It should not cause any damage.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The steps then are that you stop ufw. In ISPConfig, I recommend to delete the firewall record, then wait, and then add it again.
     
  8. brisk

    brisk Member

    rebooting... fingers crossed...
     
  9. brisk

    brisk Member

     
  10. brisk

    brisk Member

    Rebooted... no help. Still cannot connect
     
  11. brisk

    brisk Member

    In rescue mode now... need to mount the driver and change the ufw rule?
     
  12. brisk

    brisk Member

    OK, this was the rule causing the issue:

    Code:
    [email protected]:/etc/ufw# more user.rules
    *filter
    :ufw-user-input - [0:0]
    :ufw-user-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    ### RULES ###
    
    ### END RULES ###
    
    ### LOGGING ###
    -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3
    [email protected]:/etc/ufw# more user.rules
    *filter
    :ufw-user-input - [0:0]
    :ufw-user-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    ### RULES ###
    
    ### END RULES ###
    
    ### LOGGING ###
    -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3
    -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit
    -I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/
    -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --
    -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min -
    ### END LOGGING ###
    
    ### RATE LIMITING ###
    -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOC
    -A ufw-user-limit -j REJECT
    -A ufw-user-limit-accept -j ACCEPT
    ### END RATE LIMITING ###
    COMMIT
    [email protected]:/etc/ufw# more ufw.conf
    # /etc/ufw/ufw.conf
    #
    
    # set to yes to start on boot
    ENABLED=yes
    
    # set to one of 'off', 'low', 'medium', 'high'
    LOGLEVEL=low
    [email protected]:/etc/ufw#
    
     
  13. brisk

    brisk Member

    hmm, getting better... but I am not able to
    thanks a lot!
    Now I am able to access the ispconfig.

    So delete the record, then add... but what are the UDP and TCP ports I need to open?

    on screen I see this for upd:


    53,3306

    and this for TCP:

    20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,8081,10000

    I am running in a single server mode (one server has ISPCOnfig, web, mail, dns)
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The above ports should be fine, unless you run services or ssh on other ports. The reason why I recommended to delete and then add the firewall again is that this will write the firewall config again. Apparently, there must have been an issue before wirth writing the rules from ispconfig to ufw so that the activation then caused all ports to be closed.
     
    brisk likes this.
  15. brisk

    brisk Member

    Thanks @till , delete it and recreate worked, the rules are added!

    THANKS!
     

Share This Page