[SOLVED] SSH connection refused after log in dynamic portal

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

[SOLVED] SSH connection refused after log in dynamic portal

Postby vapiano » Tue Feb 21, 2023 6:16 pm

VERSION: 2.14-678c
BUILD: 230131-0826
Asterisk 13.38.3-vici
Cloud VPS, 4 vCPU Cores, 8 GB RAM, 200 GB SSD
ViciBox_v10.x86_64 10.0.1.iso

Hi,

after logging in the dynamic portal I dont have any access to server with putty anymore (with vnc viewer it is still working). Only solution then is to change my ip address (for example with a vpn) or to stop firewalld.

How can I fix this?



UPDATE Aug 31, 2023:

ViciBox v.10.0.2
VERSION: 2.14-679c
BUILD: 230220-1802
Asterisk 13.38.3-vici
Cloud VPS, CPU 6 cores, 16GB RAM, Disk 200 GB NVMe

On my second server, again I changed port from 22 to another port due to security reason.

Again, I have the problem that ssh connection to my server is not possible.

Let me explain, what the exact issue is:

With all IPs that are in the dynamic list, I cannot acces my server via ssh. After deleting an IP from the dynamic list by doing
Code: Select all
DELETE FROM vicidial_user_log WHERE computer_ip = "MyIpAddress";
it is again possible to ssh login to my server. Another workaround is to change my IP with VPN.

I don't get it why it is not possible to login to my server when the ip is in the dynamic list.

I did not have this issue when the port was 22. Only when changing port I face this issue.

Maybe there is a bug in VB-Firewall.pl script. On the other side, if there was a bug I would not be the only person who faces this issue.

Any ideas?
Last edited by vapiano on Fri Sep 01, 2023 2:51 pm, edited 2 times in total.
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Wed Feb 22, 2023 6:04 pm

I made a db-only backup and restored it on a new vps. On the old server I had made some changes in system/server/firewall settings and messed it up. On my new VPS I dont have any problems with being blocked anymore.
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Thu Aug 31, 2023 10:46 am

UPDATE Aug 31, 2023:

ViciBox v.10.0.2
VERSION: 2.14-679c
BUILD: 230220-1802
Asterisk 13.38.3-vici
Cloud VPS, CPU 6 cores, 16GB RAM, Disk 200 GB NVMe

On my second server, again I changed port from 22 to another port due to security reason.

Again, I have the problem that ssh connection to my server is not possible.

Let me explain, what the exact issue is:

With all IPs that are in the dynamic list, I cannot acces my server via ssh. After deleting an IP from the dynamic list by doing
Code: Select all
DELETE FROM vicidial_user_log WHERE computer_ip = "MyIpAddress";
it is again possible to ssh login to my server. Another workaround is to change my IP with VPN.

I don't get it why it is not possible to login to my server when the ip is in the dynamic list.

I did not have this issue when the port was 22. Only when changing port I face this issue.

Maybe there is a bug in VB-Firewall.pl script. On the other side, if there was a bug I would not be the only person who faces this issue.

Any ideas?
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby carpenox » Thu Aug 31, 2023 10:48 am

You need to open the new port in the firewall
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Thu Aug 31, 2023 11:02 am

carpenox wrote:You need to open the new port in the firewall


I think it is open. What I did was:

Code: Select all
sudo firewall-cmd --permanent --add-port=44423/tcp


Now it looks like this:

Code: Select all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: rtp ssh viciportal viciportal-ssl
  ports: 22/tcp 44423/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
   rule family="ipv4" source ipset="whiteips" service name="apache2" accept
   rule family="ipv4" source ipset="dynamiclist" service name="apache2-ssl" accept
   rule family="ipv4" source ipset="whiteips" service name="apache2-ssl" accept
   rule family="ipv4" source ipset="dynamiclist" service name="apache2" accept
   rule family="ipv4" source ipset="whitenets" service name="apache2-ssl" accept
   rule family="ipv4" source ipset="dynamiclist" service name="asterisk" accept
   rule family="ipv4" source ipset="whitenets" service name="asterisk" accept
   rule family="ipv4" source ipset="whiteips" service name="asterisk" accept
   rule family="ipv4" source ipset="whitenets" service name="apache2" accept


In addition I have uncommented default port 22 in the sshd_config file and updated to new port
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby carpenox » Thu Aug 31, 2023 2:20 pm

You should be good to go
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Thu Aug 31, 2023 2:42 pm

carpenox wrote:You should be good to go


Unfortunately its not working.

Just to clearify: I can access my server via ssh. But not when I am using an IP which is in the dynamic list. When changing my port back to 22, everything works fine again. But with the new port I have this issue. It is like all IPs in the dynamic list get banned for server access.
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby carpenox » Thu Aug 31, 2023 6:11 pm

Show me your crontab entry for the vb firewall please
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Thu Aug 31, 2023 6:46 pm

carpenox wrote:Show me your crontab entry for the vb firewall please


Code: Select all
### Renew SSL certificate every two months (Feb, Apr, Jun...)
0 0 1 */2 * /root/.acme.sh/acme.sh --renew-all --force

* * * * * /usr/share/astguiclient/AST_vm_update.pl

* * * * * /usr/share/astguiclient/AST_conf_update.pl

2 1 * * * /usr/share/astguiclient/AST_reset_mysql_vars.pl

@reboot /usr/bin/VB-firewall --white --dynamic --quiet
* * * * * /usr/bin/VB-firewall --white --dynamic --quiet
#@reboot /usr/share/astguiclient/AST_update.pl

### keepalive script for astguiclient processes
* * * * * /usr/share/astguiclient/ADMIN_keepalive_ALL.pl

### updater for VICIDIAL hopper
* * * * * /usr/share/astguiclient/AST_VDhopper.pl -q

### daily backup of asterisk database
0 3 * * * sh /root/dbbackup/daily_db_backup.sh

### daily backup of all databases
0 4 * * * sh /root/dbbackup/all-databases-backup.sh
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby carpenox » Thu Aug 31, 2023 7:44 pm

There's nothing that says VB-firewall?
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: SSH connection refused after logging in dynamic portal

Postby striker » Fri Sep 01, 2023 12:39 am

seems 44423 is open to public and should not be restricted by dynamic list IP's

check you if is listed in dynamic ipset list, ipset --list

also try this
vi /etc/firewalld/zones/public.xml

add the below line before the last line
<rule family="ipv4">
<source ipset="dynamiclist"/>
<port protocol="tcp" port="44423"/>
<accept/>
</rule>

save and reload the firewalld and test.
www.striker24x7.com www.youtube.com/c/striker24x7 Telegram/skype id : striker24x7
striker
 
Posts: 962
Joined: Sun Jun 06, 2010 10:25 am

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Fri Sep 01, 2023 2:33 am

carpenox wrote:There's nothing that says VB-firewall?


In these two lines of the crontab is VB-firewall

Code: Select all
@reboot /usr/bin/VB-firewall --white --dynamic --quiet
* * * * * /usr/bin/VB-firewall --white --dynamic --quiet



striker wrote:check you if is listed in dynamic ipset list, ipset --list


All my IPs which I have validated are in the dynamic list.

Code: Select all
Name: blackips
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 262144
Size in memory: 200
References: 0
Number of entries: 0
Members:

Name: blacknets
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 448
References: 0
Number of entries: 0
Members:

Name: dynamiclist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 262144
Size in memory: 1304
References: 0
Number of entries: 23
Members:
78.50.XXXX
45.141.XXXXX
78.50.XXXXX
77.0.XXXXX
193.XXXXX
77.XXXXX
45.XXXXX
77.XXXXX
45.XXXXX
84.XXXXX
77.XXXXX
217.XXXXX
78.XXXXX
77.XXXXX
194.XXXXX
77.XXXXX
152.XXXXX
95.XXXXX
46.XXXXX
37.XXXXX
45.XXXX
185.XXXXX
77.XXXXX

Name: geoblock
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 448
References: 0
Number of entries: 0
Members:

Name: voipblip
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 262144
Size in memory: 200
References: 0
Number of entries: 0
Members:

Name: voipblnet
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 448
References: 0
Number of entries: 0
Members:

Name: whiteips
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 262144
Size in memory: 248
References: 0
Number of entries: 0
Members:

Name: whitenets
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 448
References: 0
Number of entries: 0
Members:


striker wrote:also try this
vi /etc/firewalld/zones/public.xml

add the below line before the last line
<rule family="ipv4">
<source ipset="dynamiclist"/>
<port protocol="tcp" port="44423"/>
<accept/>
</rule>

save and reload the firewalld and test.


No succes.

Code: Select all
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="rtp"/>
  <service name="viciportal"/>
  <service name="viciportal-ssl"/>
  <port port="22" protocol="tcp"/>
  <port port="44423" protocol="tcp"/>
  <rule family="ipv4">
    <source ipset="whiteips"/>
    <service name="apache2"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="whitenets"/>
    <service name="apache2"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="dynamiclist"/>
    <service name="apache2"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="whiteips"/>
    <service name="apache2-ssl"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="whitenets"/>
    <service name="apache2-ssl"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="dynamiclist"/>
    <service name="apache2-ssl"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="whiteips"/>
    <service name="asterisk"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="whitenets"/>
    <service name="asterisk"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source ipset="dynamiclist"/>
    <service name="asterisk"/>
    <accept/>
  </rule>
  <interface name="eth0"/>
  <rule family="ipv4">
   <source ipset="dynamiclist"/>
   <port protocol="tcp" port="44423"/>
   <accept/>
  </rule>
</zone>




My steps I did was:

1. I went to Mac Terminal for logging to server:
Code: Select all
ssh -p 44423 user@serverip


2. I made the change you said.
3. Then firewall-cmd --reload and systemctl restart firewalld
4. Exit Terminal
5. Validate my IP in https://serverip:446/valid8.php
6. Wait till connecion with https://serverip/agc/vicidial.php was possible
7. Go back to terminal for logging again to server
8. And again this error comes
Code: Select all
ssh -p 44423 user@serverip
ssh: connect to host serverip port 44423: Connection refused


Now, there are three ways for me to login to server:

1. Using a VPN
2. When I stop firewalld, server login is working, also with the "banned" IPs from dynamic list
3. When I delete the validated IP from the dynamic list, the server login with this "banned" ip is possible again.
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby carpenox » Fri Sep 01, 2023 5:20 am

Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Fri Sep 01, 2023 6:21 am



I followed the steps.

Before:
Code: Select all
$IPBLACK='blackips';
(not $IPBLACK=’blacknets’ as it was before in your tutorial)

Changed to:
Code: Select all
$IPBLACK='dynamiclist';


After system reboot it worked for a minute. But now its not working again. Same issue. I think it just worked for a minute because the firewall was not opened.

Shoud I keep your settings or go back?
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: SSH connection refused after logging in dynamic portal

Postby carpenox » Fri Sep 01, 2023 11:47 am

Your server is processing the black list rather than the white, hit me up on Skype and I'll fix it for you real quick
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: SSH connection refused after logging in dynamic portal

Postby carpenox » Fri Sep 01, 2023 2:46 pm

Just to update this post, it turned out the internal zone had dynamiclist bound to it which conflicted with trusted zone. This made it where trusted zone wasn't being loaded. Once I removed it from internal, everything worked like a charm.
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: SSH connection refused after logging in dynamic portal

Postby vapiano » Fri Sep 01, 2023 2:49 pm

carpenox wrote:Your server is processing the black list rather than the white, hit me up on Skype and I'll fix it for you real quick


Big big thanks to you. He was able to solve it after I faced this issue for about six months. Big thanks to carpenox!!!!

Best man!!!
vapiano
 
Posts: 35
Joined: Tue Jun 21, 2022 2:17 pm

Re: [SOLVED] SSH connection refused after log in dynamic por

Postby carpenox » Fri Sep 01, 2023 5:58 pm

My pleasure, thanks for the review
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2230
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL


Return to Support

Who is online

Users browsing this forum: Google [Bot], mflorell and 83 guests