When you are configuring iptables or SSH over SSH and the data center is thousands of kilometers away (and getting someone there to plug in a KVM is hard), what are some standard practices to prevent locking yourself out?
Asked
Active
Viewed 5,678 times
8
-
4Get a real server with built-in KVM over IP. Problem solved (I admit: If you get the d&*^%&2 java plugin to run, that is). – Sven May 30 '14 at 08:58
-
2@SvW +1 for @%$@%#$%!^ Java. The bane of my existence are java based IPMI solutions (and printers, yuck HP) with a obsolete Java version, that doesn't play nice with newer Java and enhanced Java security. – Tonny May 30 '14 at 09:35
3 Answers
18
There was a similar question Configure iptables over SSH without getting locked out?
I post here the tips I gave in the previous question:
1) I backup the old iptables configuration file:
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
2) Before trying the new settings, execute this command to make sure you can connect back if something in the new settings locks you out (basically it replaces the old rules after 5 minutes):
echo "mv /etc/sysconfig/iptables.bak /etc/sysconfig/iptables && service iptables restart" | at now + 5min
3) Now you can safely modify iptables rules. If something goes bad you can connect back within 5 minutes.
-
5I tend to use `at now+5min` `service iptables stop` `^D`, but the effect is the same. Once I know I've not locked myself out, I can use `atrm` to remove the job. – MadHatter May 30 '14 at 09:05
-
What is with those large time frames? I use 60s, try to open a new shell and if that works, immediately deem it a success. Is that too optimistic? 15min seems like way too long. – musiKk Jun 02 '14 at 14:37
-
15 min seems a long time frame but you can always change it. It depends on what you need to do. In that case I just needed some time to check some firewall rules and 15 minutes was a reasonable time to conduct for my tests. Anyway, I updated the post with 5 min. – shardan Jun 02 '14 at 20:41
-
1you will need to `yum install at`, and `systemctl start atd` to use it, or else it will fail. dont forget to `systemtemctl enable atd` if you want it on reboot. – Brian Thomas Nov 07 '19 at 21:22
1
If you need to modify the SSH config, e.g in /etc/ssh/sshd_config: Leave a session open in another terminal. This usually will stay open, but of course you can use a similar trick as in @shardan's post for the SSH config as well.
Sven
- 98,649
- 14
- 180
- 226
-
-
-
That is probably true in firewalls with a generic `-A INPUT -m state ESTABLISHED -j ACCEPT`, as you're unlikely to touch that line and it tends to come early in the ruleset - but for firewalls which are more selective about accepting `INPUT` traffic, in my experience it's very possible to shut yourself out of an existing ssh connection. – MadHatter May 30 '14 at 09:07
-
@MadHatter: I am talking about editing `/etc/ssh/sshd_config` and the need to restart the SSH daemon. – Sven May 30 '14 at 09:09
-
0
Another way to ensure you have access is to use the -R flag of ssh on the remote server:
/usr/bin/ssh -R 55555:localhost:22 user@your.otherserver.com
From your.otherserver.com you can now log into the remote machine using:
ssh localhost -p 55555
To ensure that I'm not locked out for more than 5 mins I run a cron job that runs the following shell script on the remote server:
#! /bin/sh
GREPSSH=$(ps ax|grep serverkey|awk -F ' ' '{print $1}')
if [ "$GREPSSH" -eq NULL ]
then
echo "no sshlink \n"
/usr/bin/ssh -nNT -i ~/.ssh/serverkey -R 55555:localhost:22 -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes user@your.otherserver.com &
else echo $GREPSSH
exit 1
fi
This script:
- checks the if the outbound ssh is running
- if not it starts it with various options (-nNT and -o) and the -R for port forwarding to the remote server
- uses a ssh identity key (-i) to allow login without a password to your.otherserver.com
I have found this is a useful tool for getting back into remote machines :~)
fcbsd
- 144
- 5