[Spce-user] Lost SSH after upgrade

Maxwell Power mpower at yegtel.ca
Fri Jun 16 17:21:21 EDT 2017

Hi Alex,

This happened on a fresh install of 5.2.X. We were migrating a system manually. So when we initially configured it and had it ready for service, we enabled security. It was then that we got locked out. Since it was a new install and accessing the console via KVM was a pain, we just reimaged Debian and reinstalled.

I believe I had checked the default iptables after reinstalling and found that there was nothing allowing us access to SSH so all connection attempts were just being dropped. It was then I got the impression we needed to specifically allow hosts access. Since it seemed the only access was via the Sipwise jump box. Looking in the manual, I believe the issue was with this rule "-A INPUT -i <ssh_ext_interface> -p tcp -s <sshd.permit_support_from> --dport sshd.port -j ACCEPT". It seems to only allow access for the hosts listed in sshd.permit_support_from. For our purposes, we need many hosts. We could be logging in from a variety of IP's when working remotely or, from a customer site.

If the intention is to lock SSH down, I suggest adding a note to the docs or even an option in config.yml. Either to allow all access or using permit_support_from.

All that being said, I didn't spend a great deal of time on it. Simply adding that custom rule and moving on. We have since upgraded that box to mr5.3.1 without issues and left that rule in config.yml for the time being. It's running fine in production at the moment. We can't risk loosing access to that box; to test without said rule.

I must add, mr5.3.1 is a very nice release! Especially the new reports.

Maxwell Power 

Technical Account Manager 
Phone: (780) 809-9990 Ext. 417 | Toll Free: (855) 4-YEGTEL(934835) | Fax: (780) 401-3390 
YEGTEL Communications INC. | 10301 104 ST NW, Suite 55, Edmonton, Alberta, T5J 1B9 
Email: [ mailto:mpower at yegtel.ca | mpower at yegtel.ca ] | Web: [ https://www.yegtel.ca/ | www.yegtel.ca ] 

This e-mail and any attachments may contain confidential or privileged information. If you are not an intended recipient, do not re-send, copy or use this e-mail. Please also contact the sender immediately and delete this e-mail in its entirety. Privilege is not waived by reason of mistaken delivery to you. YEGTEL Communications and its affiliates accept no liability whatsoever for loss or damage in relation to this e-mail and may monitor, retain and/or review email. Opinions expressed in this e-mail are those of the author and may not represent the opinions of YEGTEL Communications and its affiliates. 

Ce courriel et toutes ses pièces jointes peuvent contenir de l'information de nature confidentielle ou privilégiée. Si vous avez reçu ce courriel par erreur, merci de ne pas le transférer, le copier ou l'utiliser. Veuillez communiquer immédiatement avec l'expéditeur et supprimer le message dans son intégralité. Le fait de vous avoir envoyé ce courriel par erreur ne signifie pas que l'expéditeur renonce à ses droits. YEGTEL Communications et ses sociétés affiliées ne peuvent être tenues responsables de toute perte ou dommages liés au présent courriel et peuvent effectuer un suivi de ce courriel, le conserver et l'examiner. Les opinions exprimées dans le présent courriel sont celles de son auteur et non celles de YEGTEL Communications et de ses sociétés affiliées.

----- Original Message -----
From: "Alex Lutay" <alutay at sipwise.com>
To: spce-user at lists.sipwise.com
Sent: Friday, 16 June, 2017 07:23:19
Subject: Re: [Spce-user] Lost SSH after upgrade

Hi Maxwell,

Thank you for reporting it here!

I would like to clarify some details to commit the fixes if necessary.

Firewall configuration (as a part of NGCP) has been introduced in
mr5.2.1, while Anthony's initial report was about upgrade
mr5.2.1->mr5.3.1 .

Did you experience described problem after upgrade on mr5.2.1 or after
upgrade on mr5.3.1 ?

Also as for upgrade on mr5.2.1 we were tried to make zero harm
as security->firewall->enable=no by default.

I would really appreciate detailed description here (private email if
you want). I would like to prevent this for other spce@ users.

Thank you!

On 06/13/2017 07:23 PM, Maxwell Power wrote:
> We had issues with this a few versions ago where we got completely locked out. Not a good time.
> SSH is fairly locked down in recent builds due to the new firewall configuration. Which is great in theory for sure. Except in our case, we have support located in multiple locations. All use changing IP addresses.
> Our solution was to add a firewall rule to allow all SSH traffic.
> Update config.yml, looking for the following section:
> security:
>     rules4:
>       - '-A INPUT --dport 22 - j ACCEPT'
> It does allow anyone to connect via SSH and is a security risk, if SSH is not properly protected.

Alex Lutay
Head of Quality Assurance
Sipwise GmbH, Campus 21/Europaring F15
AT-2345 Brunn am Gebirge

Office: +43(0)13012036
Email: alutay at sipwise.com
Website: https://www.sipwise.com
Spce-user mailing list
Spce-user at lists.sipwise.com

More information about the Spce-user mailing list