SARK Debian Accidental Lockouts

From sailpbx
Revision as of 18:56, 29 April 2017 by Adminwiki (talk | contribs)
Jump to: navigation, search

back to SARK v4.0.0 contents

SARK V5.0.0 Debian accidental lockouts and how to deal with them

SARK V5 has both strong login security and an onboard firewall. It is possible to lock yourself out of the system in a couple of ways, either because you have mis-set the firewall or because you have lost or forgotten the admin password. Here is a guide to unlocking the system if you should find yourself in one of these situations.

Firewall Lockouts

You've set the firewall in such a way that it will no longer allow you access on HTTPS and/or SSH

HTTPS lockout (SSH still available)

SSH to the box (or you can use WinSCP if you prefer) and find the SARK shorewall rules in /etc/shorewall/sark_rules


cat /etc/shorewall/sark_rules 

ACCEPT net:$LAN $FW tcp 5060 - - # TCP SIP
ACCEPT net:$LAN $FW tcp 5061 - - # TCP SIP
ACCEPT net:$LAN $FW tcp 80 - - # HTTP
ACCEPT net:$LAN $FW tcp 22 - - # SSH
ACCEPT net:$LAN $FW udp 123 - - # NTP
ACCEPT net:$LAN $FW tcp 389 - - # LDAP
ACCEPT net:$LAN $FW udp 389 - - # LDAP
ACCEPT net $FW udp 4569 - -  # IAX2
ACCEPT net:$LAN $FW udp 5060 - - 4/min:5 # SIP
ACCEPT net:$LAN $FW udp 10000:20000 - - # RTP

Add back or correct the rules and either reboot the box or, if you are using ssh, you can simply restart the firewall with the following command

shorewall restart

HTTPS AND SSH lockout

This is a more difficult scenario because you cannot get to the box at all. You cannot perform this fix remotely because the drive is going to have to come out and be attached to another computer. If the SARK is a SARK200 you can simply remove the SD Card and slot it into a USB CFcard reader. For conventional drives you will probably need to use a USB SATA caddy of some description. The procedure for accessing the data is different depending upon whether you have a Linux machine available or a Windows box.

Linux procedure

Depending upon your Linux distro you may find the external drive caddy will automount on your box, in which case you can just modify the firewall rules without further ado. If it doesn't automount, then you can use dmesg to see which device linux has allocated to it and mount the device manually.

dmesg
.
.
.
[18728740.570834] usb-storage 2-1.5:1.0: USB Mass Storage device detected
[18728740.571011] scsi host39: usb-storage 2-1.5:1.0
[18728741.568149] scsi 39:0:0:0: Direct-Access     Generic  STORAGE DEVICE   0819 PQ: 0 ANSI: 6
[18728741.568481] sd 39:0:0:0: Attached scsi generic sg3 type 0
[18728741.711336] sd 39:0:0:0: [sde] 8011776 512-byte logical blocks: (4.10 GB/3.82 GiB)
[18728741.712470] sd 39:0:0:0: [sde] Write Protect is off
[18728741.712472] sd 39:0:0:0: [sde] Mode Sense: 23 00 00 00
[18728741.713592] sd 39:0:0:0: [sde] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[18728741.719012]  sde: sde1 sde2
[18728741.722769] sd 39:0:0:0: [sde] Attached SCSI removable disk
[18728742.010920] usb 2-1.5: reset high-speed USB device number 53 using ehci-pci

In the example above, we can see that Linux has allocate /dev/sde to the attached drive. We want the second partition so we will mount sde2.

mount /dev/sde2 /media/imagels /media/image/
bin   dev  home  lost+found  mnt  proc	run   selinux  sys	 tmp  var
boot  etc  lib	 media	     opt  root	sbin  srv      tftpboot  usr

...and now we can go ahead and make the changes to the firewall as we did in the first example. Once saved, reinstall the drive into the SARK box and reboot it.

Windows procedure

We used Windows 10 in the example below but any modern Windows release should be OK. Now, out of the box, Windows cannot read a Linux filesystem. However, there is a free tool for Windows which does it pretty well. It is called ext2fsd. You can download it from their website at http://www.ext2fsd.com/?page_id=2. We make no representation for this tool and cannot guarantee its fitness for purpose except insofar as to say it worked for us.

Download ext2fsd and install it. Plug up your external drive and start ex2fsd. You will see a screen like this


Ex2hd shot1.png




Press return and ex2fsd will automatically map the linux partitions to your drives and allow you to navigate the Linux system


Ex2hd shot3.png




Now you can open the firewall rules file and make your changes. You may find that notepad does not open the file properly and you need to use wordpad or some other text editor.

Password Lockouts

Password lockouts require a different procedure to reset but it is broadly similar to a complete firewall lockout. The disk has to be removed and mounted on another computer. SARK passwords are one way encrypted, they cannot be recovered, however, the database can be reset to the factory password of 'sarkadmin'. To do this we need to delete and re-create the admin user enter in the database table called 'user'. SARK uses the popular SQLite3 database to store its metadata. Therefore, you will need a method of accessing SQLite3 databases.

Linux procedure

There is a good chance your Linux distro will already have SQLite3 installed. If it doesn't then you will need to install it. Once that's done you can use the Linux CLI to manage the SQLite3 database. Fire up SQLite3 with the SARK db

sqlite3 /opt/sark/db/sark.db

Now, run the following commands at the SQLite3 prompt

DELETE FROM user WHERE pkey='admin';
INSERTINTO User(id,pkey,email,password,salt) values ('1','admin','admin@yourco.com','f9d00b85a314b0ea492159a475a8e9301c9ac579759043ba902f445eb629ad6e','4b78f15c5dbaf8ac');
.exit