By the way, Here is what happened just before I got locked out:

dcooper8@payments:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  61.177.172.160       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  static.vnpt.vn       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  218.92.0.108         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  128.199.62.188       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  137.184.54.207       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  43.129.50.62         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  104.131.12.184       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  41.63.9.36           anywhere             reject-with icmp-port-unreachable
REJECT     all  --  localhost            anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
dcooper8@payments:~$ sudo nft list tables
table inet firewall
table ip filter
dcooper8@payments:~$ sudo ufw status
Status: inactive
dcooper8@payments:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore v1.8.7 (nf_tables): unknown option "--icmp-type"
Error occurred at line: 34
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ip6tables-restore v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Error occurred at line: 36
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/before6.rules'

dcooper8@payments:~$

On Wed, Jul 12, 2023 at 5:42 PM Dave Cooper <david.cooper@genworks.com> wrote:

Erik et al,

I have managed to lock myself out of the payments host. I attempted to install ufw as a simpler interface on top of iptables and/or nftables, but after a failed attempt at the ufw installation, I'm not able to get in at all.

Erik: Sorry to have to ask you this especially in the middle of mailman migration, but I think you're the only one who maybe has access to a virtual console to the VM through hetzner. Could you have a look at the machine (payments.common-lisp.net) and see about opening up firewall for ssh on the standard port (I think i'm still running sshd on 22 on there)

If the VM needs to be wiped and reinstalled (hopefully not) then it won't be the end of the world - i can certainly reinstall the payments application -- but there are some log files on there which I would very much like to get off the machine if possible (all under ~dcooper8/ -- transaction logs for donations and print sales etc).

Sorry again..

 Dave


--
My Best,

Dave Cooper, david.cooper@genworks.com
genworks.com, gendl.org
+1 248-330-2979



--
My Best,

Dave Cooper, david.cooper@genworks.com
genworks.com, gendl.org
+1 248-330-2979