Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to create a fallback to avoid being locked out?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to create a fallback to avoid being locked out?

Hello,
I bought a cheap NAT VPS that doesn't come with a serial console like others do (weirdly) maybe because it doesn't use the usual SolusVM.
So when you get locked out of the VPS for ssh reasons or iptable you can't do anything but reinstall unless you bother the provider but that support is not included.
My question is, in these situations, what can I setup on the VPS as a fallback for ssh or something else? Is there a way? I'm not talking about backups that are in place... I mean gaining back access to your server without doing the all reinstall process.

Thanks!

Comments

  • sibapersibaper Member
    edited October 2017

    dirty solution :

    1. add crontab to automatic disable firewall on reboot or every x minute/hour etc.

    You only need to reboot server from control panel

    1. for SSH, add script to download SSH config from somewhere and restart SSH.

    SSH will alway there for you

    that will working for sure, but somehow it's not recommended.

  • raindog308raindog308 Administrator, Veteran

    Console is usually the backup, but if you don't have it and your main concern is iptables, then some kind of disable trigger is needed.

    That can be cron...when I test new iptables rules, I often put in an 5 minute at(1) job to run iptables -F in case I've screwed something up.

    You could write a script that runs out of cron that downloads something from Dropbox (one possibility of a billion). If the file exists or if it has a certain string, disable the firewall.

    Or keep your firewall rules on Dropbox and have a script that downloads and applies them every so often. The problem with that is error checking...typo your rules and it's easy to lock yourself out from the thing that keeps you from being locked out :-)

    You could also setup some kind of port-knocking - e.g., if you connect to port 8989 then the firewall is disabled, but then, anyone could do that and you're relying on obscurity.

    Of course instead of disabling the firewall, you could also unblock another port, etc. ssh can run on multiple ports.

    Ultimately, without out of band access (e.g., a serial console) your options are limited.

    Thanked by 1emg
  • I wonder, is it about wishosting?

  • WSSWSS Member

    @bersy said:
    I wonder, is it about wishosting?

    If so, OpenNebula has VNC even on the NAT hosts, AFAIK.

  • @raindog308 said:

    ..typo your rules and it's easy to lock yourself out from the thing that keeps you from being locked out :-)

    I must admitted , this is funny and I laughed this , lol

    Thanked by 2raindog308 lazyt
  • NeoonNeoon Community Contributor, Veteran
    edited October 2017

    Do it 2 times and you will recheck it next time twice, before you apply any firewall changes or ssh changes.

    Generally, checking stuff more often, saves a lot of hassle.

  • MaouniqueMaounique Host Rep, Veteran

    There can be VNC, RDP and similar but the problem is they greatly enlarge your attack surface. Also, the firewall can be screwed up in such a way that all ports are blocked...
    I would put up an outgoing tunnel to connect to a certain IP and from there go back to vm. It does not enlarge your attack surface, but it is kinda convoluted and, again the firewall may block outgoing too.

    Thanked by 2emg lazyt
  • pbgbenpbgben Member, Host Rep

    Write ya password backwards on a postit, and put it in the news section of ya playboys

    Thanked by 1WSS
  • Whitelist some ip so you can connect later

  • If you change the SSH config, keep a connection open until you have verified that you can still open new connections. (And make sure your new connection isn't just multiplexed onto the existing one, if you're using ControlPath.)

    For iptables, there's iptables-apply: "iptables-apply will try to apply a new rulesfile (as output by iptables-save, read by iptables-restore) or run a command to configure iptables and then prompt the user whether the changes are okay. If the new iptables rules cut the existing connection, the user will not be able to answer affirmatively. In this case, the script rolls back to the previous working iptables rules after the timeout expires."

    Problem solved? :)

    All the workarounds with at/cron jobs overwriting things are just asking for trouble. I can pretty much guarantee you'll come back to your server in a year, oblivious that you set up something like that, and spend hours trying to find out why your config changes don't stick.
    Additionally or alternatively, your workaround might encounter some unexpected situation (network not up on boot, etc) and either do nothing at all or even make things worse.

    Thanked by 1yomero
  • WSSWSS Member

    With SolusVM based systems, you're under 15 keystrokes from root into any virtualhost. So, just root the node and claim back your VPS.

    I've used port knocking, high port ssh, et al.. but it pretty much ends up being a "Don't do shit drunk."

    I've never completely fucked something up and logged out when sober- except when intentionally overwriting my underlying drive/filesystem with a different OS with qemu on purpose. Then, I took so long setting it up that the libc wasn't held in RAM and reboot didn't work. That kind of sucked, but a power cycle later and it was back.

  • @bersy said:
    I wonder, is it about wishosting?

    Yes it's them and they don't have it. Anyway my main concern apparently is ssh now. I underestimated how important having that in the control panel is. Thanks for the suggestions, it's my first provider since ever without that access :/

    Thanked by 1bersy
  • WSSWSS Member

    You can add/modify your SSH key under your user settings to the top right after logging into OpenNebula.

    If you don't rely on SSH keys for authentication, well, that's on you.

  • emgemg Veteran
    edited October 2017

    Good suggestions above, especially the comments from @raindog and @Maounique. What you are asking for is a "backdoor" to your VPS server. As you point out, most providers offer a backchannel "secure" console to access your VPS, but the nature of your VPS prevents that. Thus the only way to provide the required backdoor is for the VPS to do one of two things:

    1. Open additional interfaces (enable or expose additional services) that could be used to connect to the VPS, such as VNC. The interfaces could remain open all the time, or opened by some type of trigger.
    2. Disable whatever is blocking access, probably the firewall. It might be a limited change or just disable the firewall altogether, which is not a good idea.

    In either case, you are trading security for availability. That's okay as long as you properly assess the risks and make intelligent choices.

    As Maounique points out, opening additional interfaces increases the attack surface, which means that attackers have greater opportunities to attack your VPS. The same is true for some of Raindog's suggestions.

    One comment about port knocking: All real-world implementations that I have seen require multiple "random" ports, to be "knocked" in a specific, non-sequential order in a limited timeframe. Raindog's single port suggestion is a good example of the idea, but it is a simplification of the usual way that it is done. It should be obvious that using a single port for port knocking is not secure.

    Thanked by 1Maounique
  • sandrosandro Member
    edited October 2017

    @WSS said:
    You can add/modify your SSH key under your user settings to the top right after logging into OpenNebula.

    If you don't rely on SSH keys for authentication, well, that's on you.

    I do use it but if the SSH server goes down for some reason (what happened to me) what does it change which authentication I use?
    Anyway I don't like Nebula, is it less expensive than SolusVM maybe?

  • WSSWSS Member

    I don't like Nebula, either. It starts as free, but it's less of a security/admin nightmare than Solus.

    If your ssh magically changes and doesn't allow keyauth, well, you've got a bigger problem than your login.

    Thanked by 1ucxo
  • ar@emg said:

    . As you point out, most providers offer a backchannel "secure" console to access your VPS, but the nature of your VPS prevents that.

    are you sure about that? i have inceptionhosting vpses and they offer serial console access afaik...
    anyway if there's a connection problem with the vps the serial console can give you access right? instead without it you're screwed correct?

  • WSSWSS Member

    There is no "serial console" for an OpenVZ instance. You just vzctl into it.

  • RizRiz Member

    All of the solutions so far appear to be external facing. How about this logic?

    Crontab to redirect a terminal connection over TCP. Use netcat to listen on the client side.

  • WSSWSS Member

    ..assuming that your client has a static address, you could just use tcpwrappers and bind telnetd. :P

    It's not much worse than other suggestions already made.

  • Here's one: go to a nat vps host that has a CP

    Thanked by 1sandro
  • RizRiz Member

    @WSS said:
    ..assuming that your client has a static address, you could just use tcpwrappers and bind telnetd. :P

    It's not much worse than other suggestions already made.

    The joys of this industry and all of the possible solutions.

  • @raindog308 said:

    That can be cron...when I test new iptables rules, I often put in an 5 minute at(1) job to run iptables -F in case I've screwed something up.

    Don't forget to set the defaults to accept before doing that, otherwise it's more like iptables -F followed by oh crap.

  • You can do many things to achieve that.
    One idea is installing Shellinabox.

    Another idea is using Incron - a package that can trigger commands on file/directory changes. If you're using a webserver for example you can program Incron to execute your rescue script whenever you upload a text file with secret string in it.

  • sandrosandro Member
    edited October 2017

    @FoxelVox said:
    Here's one: go to a nat vps host that has a CP

    Probably the best also because if something is wrong with the connection to the world or errors at startup without a "recovery" access you can't do anything. Correct me if I'm wrong.

  • WSSWSS Member

    @sandro said:

    @FoxelVox said:
    Here's one: go to a nat vps host that has a CP

    Probably the best also because if something is wrong with the connection to the world or errors at startup without a "recovery" access you can't do anything. Correct me if I'm wrong.

    That depends on just what you are implying. The host forwards X ports to your private IP. If you break that, you can't get in without using a console- like any non-NAT host.

  • SkillBladeSkillBlade Member
    edited October 2017

    You could use a 'trusted' ip address- this could be a static unchanging IP, or your own private VPN you have on an external server. Then you could use that specific IP to connect to a secret web page or a combination of server ports (i.e. port knocking) to trigger a script that will drop firewall rules.

    I would only recommend this if you have the means to limit your IP address to one you can control (don't open up your disabling rules to everywhere, otherwise any malicious party would be able to keep disabling your firewall).

Sign In or Register to comment.