Locked out of DreamCompute instance, laughing at my own ignorance

dreamcompute

#1

I’ve setup and deleted several instances with DreamCompute, getting my feet wet, and learning how much I don’t know about the latest available software like apt-get, apache2, and vsftpd. It’s a slow learning experience but not painful.

The only bit of pain occurred a couple days ago when I must have changed something in the firewall that blocked external access via SSH and SFTP. With no password on the default user “ubuntu” (using keys for secure access), no password for root, and no other users, there wasn’t a way to get into the OS to fix the problem. I did try to get in through the DC/OpenStack “Console” option, but the password for user ubuntu was unknown and the QEMU (browser-based emulator) doesn’t use keys like other application-based SSH.

Support recommended alternatives to accessing the file system for some surgery, but this was a test instance (albeit with a lot of stuff installed), and not worth the heroic effort, so RIP, I deleted the whole instance in a sort of laughing rage quit.

For my next instance, I’m going to create a new user to get in, just in case I do again whatever it was that I did before. Is that OK for security?

I read everywhere about using the OpenStack CLI for more controlled access to the environment. Could the CLI help in a situation like this, to maybe SSH into an instance from within the data center? I’ve been avoiding the CLI as an unnecessary evil so far. :slight_smile:

I read that a generated password for “ubuntu” is displayed during the initial instance creation. I didn’t know to look for that and save the info. I couldn’t find the instance creation in the logs from the dashboard. Is it OK to reset the password on that “magic” user?

Thanks.


#2

Curiosity: do you really need FTP? What does vsftpd offer that cannot be offered by SSH/SFTP?

Argh, that sucks :frowning: I guess a reboot didn’t restore the old firewall rules?

I don’t see why not, as long as you use a good password. Make sure you add that user to sudoers :slight_smile:

The OpenStack CLI is quite powerful and allows you to do things without having to use the web UI. In some instances it’s easier to use, while in other it’s confusing. For example, not all the features you see available there may work.

Where did you read this? DreamCompute doesn’t create a password for the ubuntu user… There are other OpenStack-based clouds that do, so in some cases what you read is correct. But, yes, you can create a password for the ubuntu user yourself.


#3

Actually I do use SFTP/SSH everywhere but out of habit install VSFTPD because I dont see a FTPD running, and didn’t think to try to FTP in without it. :star_struck:

Argh, that sucks :frowning: I guess a reboot didn’t restore the old firewall rules?

Nopers.

… use a good password. Make sure you add that user to sudoers :slight_smile:

Passwords here are always long n strong, and yes, first thing I did was to set a password on root for use from QEMU, and create a new user/psw in group sudo. Bases covered … I hope.

Where did you read this? DreamCompute doesn’t create a password for the ubuntu user… There are other OpenStack-based clouds that do, so in some cases what you read is correct.

Bingo. I’ve been supplementing my DreamCompute education with general OpenStack docs, some of which are hosted with other providers.

Thanks as always for guiding this process. :blush:


#4

Still on this point of locking myself out, I believe this happened when following a tutorial outside of DC, where this was offered:

sudo ufw app list
sudo ufw allow 'Apache Full'
ufw enable

Did that override the default instance security group settings?

Should we not use ufw? Or rather, if we decide to use ufw, it seems we need to be sure we pre-set our own port 22/SSH access similar to the instance definition so that we don’t lock ourselves out.

To summarize that train of thought … what’s the recommended approach to keeping an instance secure with allow/reject ports and IPs? In my research I stumbled on this other related post in this forum, where @ladymonkey had a somewhat similar level of experience and related issues.


#5

Local firewall and security groups are two very different things. You can think of security group as a firewall on the router or switch: way before packets get to your machine, they’re allowed or blocked by security groups.

If all you want to do with ufw is allow/deny traffic on specific ports on your host (and you have a simple network configuration for your application, like all-in-one machine WordPress) then I wouldn’t bother with it. Just use security groups to allow traffic only on the ports you need for your application.

For security, I’d spend more time configuring fail2ban and a WAF like mod_security.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.