Prevent being locked out when configuring SSH and iptables

Question

When you are configuring iptables or SSH over SSH and the data center is thousands of kilometers away (and getting someone there to plug in a KVM is hard), what are some standard practices to prevent locking yourself out?

score 18 · Answer 1 · edited Apr 13 '17 at 12:14

There was a similar question Configure iptables over SSH without getting locked out?

I post here the tips I gave in the previous question:

1) I backup the old iptables configuration file:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak

2) Before trying the new settings, execute this command to make sure you can connect back if something in the new settings locks you out (basically it replaces the old rules after 5 minutes):

echo "mv /etc/sysconfig/iptables.bak /etc/sysconfig/iptables && service iptables restart" | at now + 5min

3) Now you can safely modify iptables rules. If something goes bad you can connect back within 5 minutes.

Sven · Answer 2 · 2014-05-30T09:10:09.613

1

If you need to modify the SSH config, e.g in /etc/ssh/sshd_config: Leave a session open in another terminal. This usually will stay open, but of course you can use a similar trick as in @shardan's post for the SSH config as well.

edited May 30 '14 at 09:10

answered May 30 '14 at 09:01

Sven

100,763

score 0 · Answer 3 · answered May 30 '14 at 22:33

Another way to ensure you have access is to use the -R flag of ssh on the remote server:

/usr/bin/ssh -R 55555:localhost:22 user@your.otherserver.com

From your.otherserver.com you can now log into the remote machine using:

ssh localhost -p 55555

To ensure that I'm not locked out for more than 5 mins I run a cron job that runs the following shell script on the remote server:

#! /bin/sh 
GREPSSH=$(ps ax|grep serverkey|awk -F ' ' '{print $1}')
if [ "$GREPSSH" -eq NULL ]
then
echo "no sshlink \n"
/usr/bin/ssh -nNT -i ~/.ssh/serverkey -R 55555:localhost:22 -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes user@your.otherserver.com &
else echo $GREPSSH
exit 1
fi

This script:

checks the if the outbound ssh is running
if not it starts it with various options (-nNT and -o) and the -R for port forwarding to the remote server
uses a ssh identity key (-i) to allow login without a password to your.otherserver.com

I have found this is a useful tool for getting back into remote machines :~)

Prevent being locked out when configuring SSH and iptables

3 Answers3

Linked