0

After upgrading somehow some of the ports have been closed!? Now port 22 is no longer open and the server is not accessible from neither SSH nor SFTP

All other services like apache, mysql, webmin etc. is running as expected

Have tried to reboot the system

Open ports before upgrade

# nmap -PN 127.0.0.1
Host is up (0.0000090s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3306/tcp  open  mysql
10000/tcp open  snet-sensor-mgmt

Open ports after upgrade

# nmap -PN 127.0.0.1
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
80/tcp    open  http
10000/tcp open  snet-sensor-mgmt

Below are the exact steps during upgrade. The upgrade has been performed on multiple servers and same issue in all cases with closed ports after the upgrade was completed

1 step: Upgrading mysql 5.6.15 to 5.6.20

service mysql stop
dpkg -r mysql
dpkg -r mysql-client
dpkg -r mysql-client-5.5
dpkg -r mysql-common
wget http://cdn.mysql.com/Downloads/MySQL-5.6/mysql-5.6.20-debian6.0-x86_64.deb && dpkg -i mysql-5.6.20-debian6.0-x86_64.deb
cd /usr/local && ln -s /opt/mysql/server-5.6 mysql && cd mysql && scripts/mysql_install_db --user=mysql --datadir=/var/lib/mysql
rm /opt/mysql/server-5.6/my.cnf && ln -s /var/ini/my.cnf /opt/mysql/server-5.6/my.cnf
cp support-files/mysql.server /etc/init.d/mysql
update-rc.d mysql defaults
service mysql start

2 step: Further upgrading

apt-get update && apt-get upgrade

What could have gone wrong during the upgrade since some of the ports is no longer open? How to re-open the closed ports?

The following ports are no longer open:

22 ssh
3306 mysql

Mysql is running (the webpage is accessible) But I can't connect to the server through SSH (putty) because port 22 has somehow been closed during upgrade

putty error

Server unexpected closed network connection

enter image description here

clarkk
  • 2,035
  • 8
  • 24
  • 36
  • 1
    Are you sure the mysql daemon is running? During the install did it prompt you about updating the mysql configuration? How did you answer? Check your /etc/ for files with names like `*.dpkg-old`. That is the typical name of the backup of config files that were replaced. – Zoredache Jul 31 '14 at 22:29
  • Yes.. mysql, apache, webmin is running.. – clarkk Jul 31 '14 at 22:31
  • Can you show us the output of `netstat -anp | grep 3306` and `iptables -Lnv` ? – krisFR Jul 31 '14 at 22:36
  • The problem is that I can't access the server through SSH because port 22 is closed.. The support from the datacenter just told me that only port 80 and 10000 was open.. The server (apache/mysql) is running – clarkk Jul 31 '14 at 22:37
  • If the datacenter support told you that only port 80 and 10000 are open, then other are closed...so what makes you think Mysql is running ? – krisFR Jul 31 '14 at 22:40
  • because you can access the server and login https://secure.dynaccount.com – clarkk Jul 31 '14 at 22:41
  • By the way `telnet secure.dynaccount.com 22` works ! – krisFR Jul 31 '14 at 22:44
  • if you connect through winscp you get this error `server unexpected closed network connection` – clarkk Jul 31 '14 at 22:48
  • same error if you connect through putty – clarkk Jul 31 '14 at 22:50
  • `The problem is that I can't access the server through SSH because port 22 is closed..` - Well you broke something then. No idea what, but you should investigate getting out-of-band access to the system somehow. Connecting by some kind of IP-KVM, IPMI, or something. – Zoredache Jul 31 '14 at 22:59
  • Try the telnet command above to verify 22 is running, it probably is. This is most likely related to the account used to test, or a /etc/hosts.deny file or something in /etc that was patched. – Schrute Aug 01 '14 at 01:45
  • have updated the question with a print screen.. something about a mismatch in openSSL versions – clarkk Aug 01 '14 at 09:39

2 Answers2

1

IIRC the default MySQL config is not to listen via TCP, but via socket file only, which explains why port 3309 isn't bound after the upgrade. It's likely that somehow you ended up with the default config.

Why sshd isn't running isn't discernable from the commands you shared, but likely some config error that makes sshd bail out on start. Without access to the system for you to give us more information, there's not enough to go on for thinking of anything else.

Update

According to the output you shared, sshd complains that openssl doesn't match its version. Get access to your box and run

apt-get update
apt-get install openssl openssh-server libssl1.0.0

If you get errors on updates, this should fix APT. Be careful though, you need to review your config after this:

apt-get install -f

That should take care of it.

fuero
  • 9,591
  • 1
  • 35
  • 40
  • What more information do you need to tell more about why SSH i not running? a log output or something? I don't know what to look for :) – clarkk Aug 01 '14 at 08:33
  • have updated my qustion with a screen dump from the server.. something about a mismatch i versions in openssh? – clarkk Aug 01 '14 at 09:33
-1

You'll need a physical access to the machine to restart the sshd. Maybe the default services run on startup have somehow changed. If you're using old initd, you should see the manpage of update-rc.d. If you're using the current systemd, you should report to the manpage of service. SFTP uses SSH services, so if your sshd is unavailable, so is your sftp. The fact that you can reach the webservices through a web browser does not mean it runs as expected. there may be cache mechanism hidding a failure.

Given what your share, it seems that you have a problem in the update procedure. The version of packages installed may not be compatible. run apt-get -f install to ask apt-get to fix that.

Manu H
  • 158
  • 6