Wanzul Blog

Recovery when accidentally blocked SSH connection

Written by

Wan Zulkarnain

in

If you are using a third-party control panel to manage your servers, there is likely a configuration option to set firewall rules. If you accidentally remove access to port 22 from the whitelist, your server will become unmanageable. To prevent this, here’s what you should do beforehand.

Assuming you are still not locked out from your server and can still make ssh connection, here is what you can do. Otherwise, you skip to the next section.

How to get locked from your own instances 🤣

Set up user with sudo access 👨‍💼

First step is to create new user. Replace newuser with your preferred username.

$ adduser newuser

Last, add the user to the sudo group to allow administrative access.

$ usermod -aG sudo newuser

So, in the event of you accidentally removed SSH from allowlist in Firewall, you can connect to your server using console and login as the user to add back SSH port (22) to the Firewall allowlist.

$ sudo ufw allow 22/tcp

Most cloud providers allow an instance to be accessed via Console. I can independently confirm that AWS EC2 and IPServerOne Nova Cloud is able to access an instance via Console.

Access via console means the connection to the terminal is not made via port 22. Instead, it is somewhat similar like we are connecting physically to the server using serial cable.

Anybody with physical/virtual access to the server console can brute force the login. Be sure to set strong password!

You already locked out from SSH. What to do? 🤔

Here the steps:

  1. Detach the storage from server
  2. Attach the storage to new recovery instance
  3. Add rule to allow SSH in the firewall configuration
  4. Detach the storage from recovery instance
  5. Attach back the storage to the original server

Add rule to allow SSH in the firewall configuration

Note: “…” means there existing code that have been truncated.

File location: /mnt/<mount>/etc/ufw/user.rules 

...
### RULES ###
...
### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in

-A ufw-user-input -p tcp --dport 22 -j ACCEPT

-A ufw-user-input -p udp --dport 22 -j ACCEPT
### END RULES ###

After adding this, the server will allow incoming connection to SSH connection.

You need to detach the volume to attach to recovery instance
Then, attach the volume to recovery instance
This is how to mount and modify ubuntu ufw firewall to add ssh (port 22) into whitelist 😇

Alternatively, you can also disable uncomplicated firewall (ufw) first and later run ufw allow 22/tcp command.

There is nothing to worry when you accidentally blocking SSH connection. There is always a way to recover the access. 😉

Post Views: 13

More posts