Erik et al,
I have managed to lock myself out of the payments host. I attempted to install ufw as a simpler interface on top of iptables and/or nftables, but after a failed attempt at the ufw installation, I'm not able to get in at all.
Erik: Sorry to have to ask you this especially in the middle of mailman migration, but I think you're the only one who maybe has access to a virtual console to the VM through hetzner. Could you have a look at the machine (payments.common-lisp.net) and see about opening up firewall for ssh on the standard port (I think i'm still running sshd on 22 on there)
If the VM needs to be wiped and reinstalled (hopefully not) then it won't be the end of the world - i can certainly reinstall the payments application -- but there are some log files on there which I would very much like to get off the machine if possible (all under ~dcooper8/ -- transaction logs for donations and print sales etc).
Sorry again..
Dave
By the way, Here is what happened just before I got locked out:
dcooper8@payments:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 61.177.172.160 anywhere reject-with icmp-port-unreachable REJECT all -- static.vnpt.vn anywhere reject-with icmp-port-unreachable REJECT all -- 218.92.0.108 anywhere reject-with icmp-port-unreachable REJECT all -- 128.199.62.188 anywhere reject-with icmp-port-unreachable REJECT all -- 137.184.54.207 anywhere reject-with icmp-port-unreachable REJECT all -- 43.129.50.62 anywhere reject-with icmp-port-unreachable REJECT all -- 104.131.12.184 anywhere reject-with icmp-port-unreachable REJECT all -- 41.63.9.36 anywhere reject-with icmp-port-unreachable REJECT all -- localhost anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere dcooper8@payments:~$ sudo nft list tables table inet firewall table ip filter dcooper8@payments:~$ sudo ufw status Status: inactive dcooper8@payments:~$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init iptables-restore v1.8.7 (nf_tables): unknown option "--icmp-type" Error occurred at line: 34 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ip6tables-restore v1.8.7 (nf_tables): unknown option "--icmpv6-type" Error occurred at line: 36 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Problem running '/etc/ufw/before.rules' Problem running '/etc/ufw/before6.rules'
dcooper8@payments:~$
On Wed, Jul 12, 2023 at 5:42 PM Dave Cooper david.cooper@genworks.com wrote:
Erik et al,
I have managed to lock myself out of the payments host. I attempted to install ufw as a simpler interface on top of iptables and/or nftables, but after a failed attempt at the ufw installation, I'm not able to get in at all.
Erik: Sorry to have to ask you this especially in the middle of mailman migration, but I think you're the only one who maybe has access to a virtual console to the VM through hetzner. Could you have a look at the machine (payments.common-lisp.net) and see about opening up firewall for ssh on the standard port (I think i'm still running sshd on 22 on there)
If the VM needs to be wiped and reinstalled (hopefully not) then it won't be the end of the world - i can certainly reinstall the payments application -- but there are some log files on there which I would very much like to get off the machine if possible (all under ~dcooper8/ -- transaction logs for donations and print sales etc).
Sorry again..
Dave
-- My Best,
Dave Cooper, david.cooper@genworks.com genworks.com, gendl.org +1 248-330-2979
-
Dave Cooper